Security questions are actually mostly INSECURE - GoFuckYourself.com

rowan · 10-03-2009, 12:41 AM

You know those security questions you use to reset your password? Many sites use canned questions like "your pet's name" or "your mother's maiden name" ... if a cracker has access to your email they can probably access other things, how difficult do you think it would be for them to find out that info? Probably not hard at all.

The best way is for the site to allow you to specify the QUESTION as well as the ANSWER, since it allows you to obfuscate it. If your wife named Joan Jill Doe has a mole you could choose something like "mole middle"... and the answer is "jill" (the middle name of someone with a mole). To someone who doesn't know your wife personally the question will make no sense.

Thoughts?

Stacks Banned for Life · 10-03-2009, 01:14 AM

Quote:

Originally Posted by rowan

You know those security questions you use to reset your password? Many sites use canned questions like "your pet's name" or "your mother's maiden name" ... if a cracker has access to your email they can probably access other things, how difficult do you think it would be for them to find out that info? Probably not hard at all.

The best way is for the site to allow you to specify the QUESTION as well as the ANSWER, since it allows you to obfuscate it. If your wife named Joan Jill Doe has a mole you could choose something like "mole middle"... and the answer is "jill" (the middle name of someone with a mole). To someone who doesn't know your wife personally the question will make no sense.

Thoughts?

I disagree wholeheartedly. Security questions and even passwords for that matter should be easy to guess.

d-null · 10-03-2009, 01:33 AM

Libertine · 10-03-2009, 09:20 AM

The real problem is that those security questions tend to open up your accounts to social engineering and inside attacks.

When you're targeting random people, they're useless, but when you're targeting a specific person (e.g. a celeb, someone you want to scam, etc), they make it lots easier.

For example, let's say you're trying to get the PayPal account of a specific person. You know their email address, have tried to get the password, and have found out what the security question for that email address is.

You can give the person a call and come up with a story like "I'm doing genealogical research at the moment, and it seems you might be related to historical figure X. Your mother's maiden name was XYZ, right?". The answer will often be "No, it was XXX", giving you the answer you needed.

Or, if it's someone you actually know, it's even easier. You wouldn't tell people you know your passwords, but you would tell them random, seemingly unimportant trivia if those came up in conversation.

woj · 10-03-2009, 10:06 AM

yea, I agree many of them are terrible... I've seen ones like "what year did you graduate from high school?" "How many kids do you have?" "what high school did you go to?"

You could very easily bruteforce these...

Iron Fist · 10-03-2009, 10:27 AM

I actually hate sites that force me to answer these questions...as most of my passwords are like...

b78T5jsn12vdi9dww2

force brute that bitches.

rowan · 10-03-2009, 10:44 AM

Quote:

Originally Posted by sharphead

I actually hate sites that force me to answer these questions...as most of my passwords are like...

b78T5jsn12vdi9dww2

force brute that bitches.

You're thinking of a password reminder (which is probably better since it can also be obfuscated, although that won't help people who use "coffee"), I'm talking about a password reset function... answer the question right and you're emailed a new password.

EthnicLover · 10-03-2009, 10:46 AM

Quote:

Originally Posted by d-null

Going Rogue!

Mutt · 10-03-2009, 11:05 AM

i dunno - i use the 'mother's maiden name' one and 'your first phone number' or 'name of public school' - you could ransack my house nevermind my computer and not find any of those answers.

10-03-2009, 12:41 AM	#1
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	Security questions are actually mostly INSECURE You know those security questions you use to reset your password? Many sites use canned questions like "your pet's name" or "your mother's maiden name" ... if a cracker has access to your email they can probably access other things, how difficult do you think it would be for them to find out that info? Probably not hard at all. The best way is for the site to allow you to specify the QUESTION as well as the ANSWER, since it allows you to obfuscate it. If your wife named Joan Jill Doe has a mole you could choose something like "mole middle"... and the answer is "jill" (the middle name of someone with a mole). To someone who doesn't know your wife personally the question will make no sense. Thoughts?

10-03-2009, 01:33 AM	#3
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	__________________ __________________ Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad! Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs Check out the #1 WordPress SEO Plugin: CyberSEO Suite

10-03-2009, 09:20 AM	#4
Libertine sex dwarf Join Date: May 2002 Posts: 17,860	The real problem is that those security questions tend to open up your accounts to social engineering and inside attacks. When you're targeting random people, they're useless, but when you're targeting a specific person (e.g. a celeb, someone you want to scam, etc), they make it lots easier. For example, let's say you're trying to get the PayPal account of a specific person. You know their email address, have tried to get the password, and have found out what the security question for that email address is. You can give the person a call and come up with a story like "I'm doing genealogical research at the moment, and it seems you might be related to historical figure X. Your mother's maiden name was XYZ, right?". The answer will often be "No, it was XXX", giving you the answer you needed. Or, if it's someone you actually know, it's even easier. You wouldn't tell people you know your passwords, but you would tell them random, seemingly unimportant trivia if those came up in conversation. __________________ /(bb\|[^b]{2})/

10-03-2009, 10:06 AM	#5
woj <&(©¿©)&> Industry Role: Join Date: Jul 2002 Location: Chicago Posts: 47,882	yea, I agree many of them are terrible... I've seen ones like "what year did you graduate from high school?" "How many kids do you have?" "what high school did you go to?" You could very easily bruteforce these... __________________ Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

10-03-2009, 10:27 AM	#6
Iron Fist Too lazy to set a custom title Join Date: Dec 2006 Posts: 23,400	I actually hate sites that force me to answer these questions...as most of my passwords are like... b78T5jsn12vdi9dww2 force brute that bitches. __________________ i like waffles

10-03-2009, 11:05 AM	#9
Mutt Too lazy to set a custom title Industry Role: Join Date: Sep 2002 Posts: 34,431	i dunno - i use the 'mother's maiden name' one and 'your first phone number' or 'name of public school' - you could ransack my house nevermind my computer and not find any of those answers. __________________ I moved my sites to Vacares Hosting. I've saved money, my hair is thicker, lost some weight too! Thanks Sly!