Home | Login      
Secret Questions
I just logged onto my online banking account from a new location and was prompted to answer a "secret question" as a secondary source of "something I know." The experience reminded me of a recent Blog post by Internet security guru Bruce Schneier. I've known Bruce for many years, although he most likely doesn't remember me. We became acquainted during my time as VP of Worldwide Marketing at CyberGuard. He once wrote that the problem with using "secret questions" for authentication is that the answers are often much easier to guess than random passwords. For instance, Mother's maiden name isn't very secret. Name of first pet, name of favorite teacher: there are some common names. Favorite color: Bruce believes that could probably guess that in no more than five attempts. The point Bruce is making it that an organization's normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers. I'm not in complete agreement. The problem with secret questions is not the answer but the question. Secret questions can be used effectively if the basis for the question is to provide a backup password. The question doesn't matter, if the answer represents a second password for the site then it should be as strong as the primary password. Unfortunately it's not realistic to expect that strong passwords be used in all cases. Sites for official business (banks, government) generally require as a condition of use that all information provided is correct. So, if you enter "7DGG46QPK" as your mother's maiden name, you conceivably could be prosecuted for unauthorized computer use, and/or financial fraud. I still believe that the secret questions can be used effectively, but only if the user can create their own questions. A diligent user would create questions that are harder to guess than a generic password without the burden of remembering a new strong password. I agree that this idea is hard to implement, and even harder to enforce, but not impossible. What ever your opinion, secret questions are now the norm. Get used to it! Want to know more? Check out "Personal knowledge questions for fallback authentication: Security questions in the era of Facebook". http://www.cs.berkeley.edu/~asrabkin/soups/bankauth.pdf

Share this blog topic
Add to Digg it   Add to Twitter   Add to StumbleUpon   Add to Del.Icio.us   Add to Facebook   Add to Technorati   Add to Reddit   Add to YahooMyWeb   Add to Google bookmarks


This blog article does not have any comments.

  This blog article is locked. New comments are not accepted.