Security Questions: It’s No Secret

May 26, 2009

In a previous post here, “I’ve Nothing to Hide“, I talked a little about some of the traditional approaches to verifying a person’s identity:

At the root of many traditional methods for verifying a person’s identity is the notion that the only person likely to know a large number of disparate facts about a particular individual is the individual himself.

I was reminded of that today, when a colleague sent me a note about a paper published by Microsoft Research on the common practice of asking users to provide answers to selected “security questions” as a back-up means of identification, to be used, for example, if you forget your password.  The paper is being published in the Proceedings of the 2009 IEEE Symposium on Security and Privacy, and is by Schechter, Brush, and Egelman [PDF here].  They focused specifically on the use of security questions by four Web mail services: AOL, GMail (Google), Microsoft, and Yahoo!.

Many of us that have done work in the security area have had a rather jaundiced view of this practice.  Early on, the most common such security question was “What is your mother’s maiden name?”, or some variant thereof.  In at least some states, this information is on birth certificates, and it is often known to someone’s acquaintances; it is hardly a closely-guarded secret, generally speaking.  We’ve tried, over time, to get people to choose passwords that are not easily guessed; some of these questions amount to providing a secondary password that is less secure than the primary one.

I can cite another example with which I’m personally familiar.  Back in the early 1990s, while I was living in London, there was a bit of a political flap because some journalists had obtained details of the Chancellor of the Exchequer’s personal credit card account; and they had published some items that could be given a less-than-charitable interpretation.  In this particular case, the “security” for telephone account inquiries was that the user had to provide the account holder’s date of birth.  In the case of a prominent public official, this was not particularly difficult to discover (a library copy of Who’s Who would do nicely).

The authors of the paper found that the skepticism about the use of security questions was quite justified.  From the abstract:

We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months.

As I’ve noted above, part of the problem stems from the use of questions whose answers are obtainable from other sources.  Part also comes from using questions which have a very limited set of possible answers (for example, “What is your favorite color?”), or questions whose answers can be inferred from other information (such as geographical location). Even allowing users to pick their own questions doesn’t seem to help much.

If you use or sign up for a service that uses these security questions, my advice is to treat them as what they are: requests for an alternative password.  Pick a value for your mother’s maiden name, for example, which is not the real answer, and is otherwise difficult to guess.  Write down the answer and keep it in a safe place.

Update Tuesday 23:15

Bruce Schneier also has a note on this in his blog, “Schneier on Security”.


OpenOffice 3.1

May 26, 2009

Earlier this month, the Open Office project released version 3.1 of the OpenOffice.org software suite.  For those who are not familiar with this package, it is intended to be an alternative to Microsoft Office™ or other office productivity software.  It includes several components:

  • Writer for word processing
  • Calc for spreadsheets
  • Chart for, well, charts and graphs
  • Impress for presentations
  • Base for simple database applications

It does a pretty good job of reading and writing Microsoft Office files, and can also import a number of legacy formats, like those used by WordPerfect™.   One useful feature that is not included in many other alternatives is the ability to export a document directly as a PDF file.  The project is sponsored by Sun Microsystems, and the software is distributed for free under an open-source license.

The new version has some useful functional improvements, and is generally faster than previous versions, especially with relatively complex spreadsheets.  The project site has a summary of changes and new features, and you can download the software here.


%d bloggers like this: