Didier Stevens

Tuesday 30 September 2008

Secret Question, Public Answer

Filed under: Vulnerabilities — Didier Stevens @ 9:58

Due to the current media attention, I’m updating and posting this old draft about secret questions.

First, let’s get a pedantic observation out of the way: Secret Question is a misnomer. If you think about it, it’s the answer that is secret, not the question.

The problem with secret questions is that they are often a backdoor to your account. When you use a strong password, the answer to your secret question will be easier to guess than your password. So you are actually using weak credentials.
If the sole purpose of the secret question is to reset your password (or e-mail it to you), then don’t use it, just type some random characters for an answer and forget about it. You won’t be able to get into your account using the secret question backdoor, but so won’t attackers.
If you’re afraid that you might forget your password, write it down and keep it safe (I recommend KeePass if you need a password manager).

Now if you definitely want a backdoor because you don’t want to write anything down and don’t trust your memory, there are a couple of options open to you.
If you’re not able to make up your own secret question, but have to choose one from a predefined list, then provide an answer that you can derive from the question only (think about it, your secret answer doesn’t have to make sense, it just has to be secret). An example:
Q: Name of first pet?
A: Four
Why four? Because the question is a sentence of 4 words. This way you don’t have to remember your secret answer, just the rule to derive the answer from the question. You can reuse the same rule for different accounts, it will generate different secret answers for different secret questions.

If you can provide your own secret question, then I recommend to use math. An example:
Q: How much is 3 + 7?
A: 20
Why 20? Because your secret rule is to double the result to obtain the correct answer. 3 + 7 equals 10, 10 times 2 equels 20.

Secret answer rules can be as hard as you want, but complex rules are more likely to be forgotten…

To summarize: disable secret questions, and store and protect your credentials.

This post comes with a complementary cartoon.

4 Comments »

  1. >(I recommend KeePass if you need a password manager)

    BTW it is possible use password database created with Windows’ KeePass on Linux too, with KeePassX (www.keepassx.org)

    >If you can provide your own secret question, then I recommend to use math.

    its easier to bruteforce, trying 0-1000 takes only minutes, numbers 0-100 are in every bruteforce dictionary anyway.

    Comment by unary — Tuesday 30 September 2008 @ 11:13

  2. >BTW it is possible use password database created with Windows’ KeePass on Linux too, with KeePassX (www.keepassx.org)
    Thanks, that’s one of the reasons why I recommend KeePass, there are even versions for PPC/Smart phone, Windows PE, … http://keepass.info/download.html

    >its easier to bruteforce, trying 0-1000 takes only minutes, numbers 0-100 are in every bruteforce dictionary anyway.
    Correct, that’s why my first recommendation is to disable secret questions by typing a string of random characters. Secret questions are not safe, avoid them.

    Comment by Didier Stevens — Tuesday 30 September 2008 @ 11:31

  3. I take the random characters approach and forget about it.

    As for keeping my password safe – I prefer to use the hashing method. Check out the Firefox addons Passmaker and Passhash. The concept of a database-less password system has a few advantages which I like. Unfortunately no one seems to have done a proper (3rd party) analysis of any such system, although I can imagine a few attacks.

    Comment by Sandro Gauci — Tuesday 30 September 2008 @ 18:40

  4. I’ve used Passwordmaker for a while when I switched to Firefox, but I didn’t like the fact that I had to restrict my character set to the least common denominator of all systems I use.

    Comment by Didier Stevens — Tuesday 30 September 2008 @ 19:39


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 230 other followers

%d bloggers like this: