Security Questions: It’s No Secret

In a previous post here, “I’ve Nothing to Hide“, I talked a little about some of the traditional approaches to verifying a person’s identity:

At the root of many traditional methods for verifying a person’s identity is the notion that the only person likely to know a large number of disparate facts about a particular individual is the individual himself.

I was reminded of that today, when a colleague sent me a note about a paper published by Microsoft Research on the common practice of asking users to provide answers to selected “security questions” as a back-up means of identification, to be used, for example, if you forget your password.  The paper is being published in the Proceedings of the 2009 IEEE Symposium on Security and Privacy, and is by Schechter, Brush, and Egelman [PDF here].  They focused specifically on the use of security questions by four Web mail services: AOL, GMail (Google), Microsoft, and Yahoo!.

Many of us that have done work in the security area have had a rather jaundiced view of this practice.  Early on, the most common such security question was “What is your mother’s maiden name?”, or some variant thereof.  In at least some states, this information is on birth certificates, and it is often known to someone’s acquaintances; it is hardly a closely-guarded secret, generally speaking.  We’ve tried, over time, to get people to choose passwords that are not easily guessed; some of these questions amount to providing a secondary password that is less secure than the primary one.

I can cite another example with which I’m personally familiar.  Back in the early 1990s, while I was living in London, there was a bit of a political flap because some journalists had obtained details of the Chancellor of the Exchequer’s personal credit card account; and they had published some items that could be given a less-than-charitable interpretation.  In this particular case, the “security” for telephone account inquiries was that the user had to provide the account holder’s date of birth.  In the case of a prominent public official, this was not particularly difficult to discover (a library copy of Who’s Who would do nicely).

The authors of the paper found that the skepticism about the use of security questions was quite justified.  From the abstract:

We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months.

As I’ve noted above, part of the problem stems from the use of questions whose answers are obtainable from other sources.  Part also comes from using questions which have a very limited set of possible answers (for example, “What is your favorite color?”), or questions whose answers can be inferred from other information (such as geographical location). Even allowing users to pick their own questions doesn’t seem to help much.

If you use or sign up for a service that uses these security questions, my advice is to treat them as what they are: requests for an alternative password.  Pick a value for your mother’s maiden name, for example, which is not the real answer, and is otherwise difficult to guess.  Write down the answer and keep it in a safe place.

Update Tuesday 23:15

Bruce Schneier also has a note on this in his blog, “Schneier on Security”.