Wednesday, August 25, 2010

The Weakest Link: Password Reminders

Security vs. Ease of Use...always is a tradeoff.

I always use an example of a car security system in class. If I could GUARANTEE that no one could steal your car, and it wouldn't be expensive to install, you'd probably go for it, right?

What if I then told you it would take 90 minutes to get in to the car? At that point, the security isn't worth it.

Generally, when you sign up for accounts, you are given very few choices for password hints. For example, what is your mother's maiden name? Or, where were you born?

The problem is that some of these things can be found out from social networking sites or even from personal knowledge. For example, if you friend your mother, everyone who is a friend of yours now knows the answer to that security question, especially if you use the Facebook "related to" option to show she is your mother. Where were you born can be guessed many times as well, even without Facebook. Where I went to high school, I would guess that most of the students were born in the same hospital. In more rural areas, that isn't as tough of a question as you might think. A good private investigator might chat you up in a bar to find out the answer to the question "what was the name of your first pet", if the answer to that question is valuable enough. In divorce cases, this sort of information can be a gold mine. If you are going through a divorce, remember that things like birthdays and anniversaries are things your future ex may know, and they can circumvent your password that way. Even things like "what is your blood type" aren't great, because how many possible choices are there? (A, B, AB, and O, I think). Even questions like "who is your favorite actor/actress" is tough, because answers change.

On the other hand, no one wants the question to be "pick your favorite number between 122 and 488".

Some sites will let you create your own questions, which present their own problems. People may tend to make even easier questions ("what is your middle name"), or really poor questions ("what color shirt are you wearing"). Yes, I've seen questions like this when helping people.

One of the better questions I have seen is "what is your father's middle name". I couldn't tell you the middle name of my friend's fathers, so this would require a little more work. Other good questions might be "what was the first bone you ever broke" - certainly something you would remember, but still vague.

Another clever idea that hasn't taken off is "Passfaces", where people use visual reminders as a password. Clever idea either as a replacement for a password or as something to augment password reminder security, but not mainsteam yet.

The best defense is to pair sets of questions together, asking people to answer multiple questions to get access. Another way would be to give people a checklist, for example, ask "which of the following statements are true about you", give a list of 15 things, and have the person check off which they have done. For example, give statements like:
I have shoplifted something worth more than $10.
I have been to Cincinnati.
My first car was white, yellow, brown, or green.

Have the person check off yes or no for each, and they are only granted access if all 15 questions are correct. Even if someone tries to guess their way through that, that is hundreds of possible responses. The problem here is that the best questions are the deeply personal ones that no one else knows the answer to. These are also the questions people might be shy about answering honestly. For example, the "shoplifted" question is good, but would I really check off "Yes" if this were a password reminder for a company I work for?

Or, you can do what I do, and give fake answers to the questions in a way that you will still remember it. Or, just use your mother's maiden name everywhere and wonder how all your accounts got hacked on the same day.

No comments: