City of birth? Why password questions are a terrible idea Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google. A white paper [PDF] called "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google" dug into the data of millions of users interactions with a range of password- …
Why does the answer even have to relate to the question ?
If you simply adopt the practice of consistently using the same non-relevant answer to a particular question you both improve the ability to recall it (since it is contextual - password recovery - and specific - always the same for a given question)
e.g.
Town where you were born: Fish and chips
Mothers maiden name: Capsicum
Favourite food: Kylie Minogue
Needless to say, these are not the answers I use. :)
"Love the irony..."
I've never forgotten a password, because I have a password manager. I don't see the irony there. The point is that an easy to guess "security" question makes the password weak, nomatter how long it is, so the answer to the question has to be something which can't be guessed, and your father's name should be different on every site just like your password is. That requires a password manager...and that's the irony! Instead of having 1 high-entropy string to remember, you have 2.
Reminds me of the BOFH episode where Simon reminisced about the time he set the password expiry time to 24 hours and minimum required length to 32 characters, forcing people to use a password generator which produced results looking like "vaguely pronounceable line noise"
Brilliant
Reminds me of the BOFH episode where Simon reminisced about the time he set the password expiry time to 24 hours and minimum required length to 32 characters, forcing people to use a password generator which produced results looking like "vaguely pronounceable line noise"
You're referring to this passage… from The Striped Irregular Bucket (which predates the BOFH):
I hang up - he'll call back. Meantime I open up a copy of "VMS BASTARD OPERATORS MANUAL FROM HELL" I'm reading the article I sent in about getting rid of those trouble users..."... Modify the user's password minimum from 6 to 32 letters, give the password a 1 day lifetime, set it so that they HAVE to use the password generate utility when they change their password (so their password will always be something that looks like vaguely pronouncable line-noise), add a secondary password with the same as the above, then redefine their CLI tables so that the only command that works is DELETE, and all other commands point to it."
(Above passage © Simon Travaglia, ~1988~89)
A few years back I cashed in the residue of a UK ISA (remaining balance just £1.50 but local tax laws forced it to be closed). No longer being in Blighty it transpired this would be a serious posterial pain involving sending of certified passport copies to validate signatures, etc, but their helpful man on the phone explained I could skip all that simply by registering for their internet banking access, then login and transfer the investment funds to wherever I liked. So off I toddled and being in a hurry and not overly concerned about the risk that some miscreant steal my half-a-cup-of-coffee's worth I pasted "sasquatch" into all the security question prompts. Clickety-click, done, now to close the account... "Please phone our banking service team for this request"
"Hello Mr Mongo, I can see your account number but first I just have to ask you some security questions...what was your grandfather's occupation?"
"Sasquatch"
"That's fine ... now what was the name of your first school?"
"(nervous giggle) Sasquatch"
"Ahhh...and was your first pet's name?"
"Sasquatch, too. I mean too as in also, not two as in the number...I really didn't expect I'd be telling these to a person, it was just a nice word to say..."
He kindly overlooked my embarrassed tittering, didn't go all jobsworth about this horrific breach of security best practice, nor yet accuse me of lying to one of Her Majesty's civil servants for pecuniary advantage. And (in my defense) no amount of dumpster diving or Facebook scraping would have revealed my family's secret shame that grandpa used to roam the American woods in a monkey suit.
"And (in my defense) no amount of dumpster diving or Facebook scraping would have revealed my family's secret shame that grandpa used to roam the American woods in a monkey suit."
Yet you happily revealed that shameful secret in a comment on El Reg!
I think as a punishment, you should don a dinosaur suit and start swimming in Loch Ness.
This would explain Google's ridiculously over complicated password recovery system then.
A friend was trying to remember her password and we eventually opted for the account recovery thing.
An email address we can contact you on.
What is the last Password you remember
When did create your account MM/YY
When can you remember last using your account MM/YY
Secret Question & Answer
When did you last use:
Google Mail MM/YY
Hangouts MM/YY
Google+ MM/YY
Wallet MM/YY
OK it only wanted approximate dates - but still - I went through that 6 times - before we finally recovered her account!
I've found gmail to become almost unusable since it seems to object to me accessing my email account with them from multiple locations. It required the use of some bizarre extra level of security I could just do without, and there was no way of opting out from it. A total pain.
Plus a zillion on that!
I opened an account with Yandex mail and [as one of the options] chose to import my existing email from a Gmail account. It didn't work and I later got an email from Google along the lines of "We prevented unauthorised access to your account".
Clicking a link in that email took me to a Google Account Security page where a nice map showed me that an attempt had been made to access my account from St. Petersburg, Russia [obviously Yandex's mail importer trying to do it's thing].
Under the map was a box to tick saying something along the lines of "It's OK. That was me". So I ticked this and went back to Yandex to try again...
Rinse and repeat, ad nauseam.
No matter how many times I told Google it was OK to allow the connection attempt from St. Petersburg, they still blocked it —even after I ticked some other option to use less stringent security on my Gmail account.
I dont have a pet rabbit.
Actually the things I use tend to be stuff that is buried so far in my altogether too long past that no one else has a cats chance in hell of discovering them
I am probably the only person alive who remembers the name of the family cat in 1954....
At least you had a family cat. I've never owned a pet, don't have a favourite food or colour and my father has no middle name. A lot of the truthful answers to my security questions are 'None'.
Fortunately I don't have to worry about a hacker looking me up on Facebook to find out the other answers. I've never had an account and my name is common enough they would probably find someone else.
What about orange ? Both a fruit and a colour.
Fun fact: No they aren't. Not really :D
The use of these type of questions is clearly stupid. The answers are either easily guessable or unmemorable. I also don't want to give that kind of information to the majority of sites I use.
The only solution I've come up with is to make stuff up and store it in a password manager.
I had the same with my mother's maiden name
I have an inkling their code would also barf if your mother's father was Johann Gambolputty-de-von-Ausfern-schplenden-schlitter-crass-cren-bon-fried-digger-dangle-dungle-burstein-von-knacker-thrasher-apple-banger-horowitz-ticolensic-grander-knotty-spelltinkle-grandlich-grumblemeyer-spelter-wasser-kurstlich-himble-eisen-bahnwagen-guten-abend-bitte-ein-nürnburger-bratwürstel-gespurten-mitz-weimache-luber-hundsfut-gumberaber-schönendanker-kalbsfleisch-mittleraucher-von-Hautkopft von Ulm
(beer, to lubricate your throat in case you have to read it on the telephone)
The first line of my address has a slash in it. This could be replaced by a dash and the postie will still understand. What really annoys me is the number of sites that won't allow punctuation of any kind in an address. Especially since you pick what you want to buy, they make you create an account with a bunch of stupid security questions and only as you're completing the order do they tell you that / isn't allowed in an address.
YES IT BLOODY WELL IS!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
