July 21, 2019

How to answer (shitty) security questions

How to answer (shitty) security questions

I saw this tweet from Paul Barton. And he is right. These are really terrible security questions.

Security questions are still used by many websites as account recovery mechanism. It works as follows. As part of your user account configuration you must select a number of security questions and provide answers for them. When you can no longer access your account you can regain access via answering the security questions, either online or by communicating with the company's help desk.

Let your answers be clever

Security questions are sometimes called secret questions. But the ones used by the service Paul was trying to register for, are certainly not so secret. And far worse, the answers aren't either. The answers to these questions can be easily found via a search engine or by inspecting people's social media profiles. At least if you put in the real place of birth or the name of your parents.

This is how I answer security questions...

I generate a random password as answer to the security question and I store both question and answer in my password manager. Certainly don't forget to store the question because some sites don't give you a selection combo at account recovery.

From a security perspective this might be the best possible approach given the crappy security implementation of some websites.

However, from a usability perspective these kind of answers might cause you some troubles. Managing truly random strings might be hard, taking into account that password managers are not the best solution for everyone.

Also keep in mind that sometimes account recovery can only be done via a phone call with the company's help desk. Very cool that you are using a password manager, but good luck with spelling a 50 character random string character by character.  A way to balance security and usability is by using passphrases or a combination of random words. If you use a password manager it probably has a feature to help you generate memorable passwords.

Why companies should do better

To conclude, I think it's important to note that a lot of companies need to improve the way they implement user account recovery. Even if security questions are formulated in such a way that the answers are not easy to find on the internet, there's still the risk of social engineering.

Most people, unaware of potential risks, will answers these questions honestly. The minority of people that provide random answers can still have a hard time at account recovery. Security questions also increase the attack surface of websites. So I can really not find a good motivation for still implementing them. I guess the main reason we still see security questions used is because it's easy to implement.

Account recovery is one of these features where usability is subordinate to security. It must be deliberately difficult to recover access to your account. Remember if it's easy for you, it's probably not difficult for attackers either.

Companies should evaluate if they really want this to be a fully online process or not. Whether it's online or offline only, or a combination of both, it's a good practice to only recover an account when the person requesting can prove account ownership via one or more side channels.