The Security Question Vulnerability

How easy is it to break into your Gmail account? How about Yahoo! Or Windows Live?
If you provided a truthful answer to the security question during signup, it is probably quite easy to hijack your account, with just a little bit of a research.

Take a look at the Yahoo! Security Questions:

Yahoo Security Questions

Are these security questions?

Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony – in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account.
By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”.

Windows Live is pretty much the same as Yahoo!:

windows live security questions
Gmail is a little bit more sophisticated with one major difference:
gmail security questions

Gmail is the only one of these three that allows you to choose your own question.
By letting you do that, Gmail asks “which question only you can answer?” I think that most people might still come up with “Who is my favorite singer”, “What is my date of birth” or “My dog’s name”.
However, that isn’t a security vulnerability encouraged by Google. If they give you the tools and you fail to use them, it’s not their fault.

So, what can we do about it?
If you can write your own question, How to unblock Facebook that would be the best. If not, choose the question about the name of your first school and put your first phone number as the answer. That’s what I did! :)
Got better ideas? Share them with us!

  • Sylvan

    I completely agree. And there’s not a really good solution, except to use a password database, which negates the need to have the questions in the first place. I use a password generator to make the responses for the challenge questions, but I keep those in the same password database. The only time I ever need those responses is if I mess up in changing my password.

    But right – most users don’t use password databases, and those that do probably still answer the questions truthfully.

  • Gil Megidish

    Though it’s quite funny, the list of questions they are offering. Back in like 96, Yahoo asked me for my childhood hero. A kid thinking back of his childhood, I was always fond of that idea. Neat thing to ask. Didn’t know Bruce Schenier back then ;)

  • dave

    for each question i am forced to use, for the answer i choose a completely random and lengthy response i.e. 20-80 random characters (i.e. pulled from /dev/random, etc.) – since the response is complete gibberish i store the question and the answer in my password safe program. what i haven’t tested is the fuzzy answer that these systems will allow. the backend systems don’t expect you to answer exactly so they do allow some fuzziness (misspellings, case insensitivity, etc..)..

  • JP

    First, I would suggest switching to an email provider with a business model where you are a customer instead of a product that is being sold to advertisers. Otherwise, they’ll keep adding back doors like this to make it so that even their most forgetful users can keep logging in and generating ad revenue for them despite the fact it comes at the expense of the security and privacy of all other users.

    Second — ignore the question! Or at least pick a question that is as off the wall as possible and will help you remember you provided a bogus answer. This bogus answer is something only you will know, that’s not a dictionary word, isn’t used at other websites, and can’t be brute forced or easily guessed by password guessing scripts. This also protects you somewhat when that email site is inevitably compromised at some point in the future — because the attacker doesn’t have access to any of your “secret” information that could then be used against you in social engineering attacks or to compromise other accounts on the web.

    Make this “second” password just as strong as the first one if possible. In some cases where you have to reactivate over the phone, it has to be something that you can clearly dictate. But for the same reason you wouldn’t want a real password to be a dictionary word, common name, date that falls in a predictable range, or an old public record, you probably don’t want your “second” password to be any of those values either.

  • jay

    You could probably present the answer in another language but written in English. This would make it one step harder to guess by the attacker. The best is to find the meaning of the “answer” in a another language you don’t know! So even attacker tries to use the answer with your native tongue he/she didn’t know that its in a language that even you don’t know!

  • Brant

    I’m not famous, so there is little use in someone hacking me. The trouble is that if you do something like answer a different question, then you have to actually remember that you did that – which may be really difficult in 3 years. I like the random string idea, but again, you have to store/remember it. One additional problem is that some systems began using challenge questions recently and the original was never set. Worse still are the ones that make you remember which question you picked.

  • Renee Q

    why is my gmail “read” section pulling up read emails from last year and NOT recently read emails?