Password reset questions

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

  • Chester Wisniewski

    I suppose I must respectfully disagree. Should you really be able to undo a 25 character strong password by brute force or excessive guessing? Whether your favourite colour is DetroitTigers or not, it is simply too easy to brute force. Maybe the missing question is whether your service provider rate-limits guesses or if they lock your account completely after X attempts?

    • Aviram Jenik

      Chester: Why would brute-forcing be even possible? Every half-secure service will lock you out after a few tries, and if they don’t, I wouldn’t bother brute-forcing a 25 character password, I will steal it from you instead (it obviously stored somewhere that is not in your head)

  • king

    I HATE HATE HATE “security questions.” They’re just an alternative path into your account so the site can reduce customer support calls. Misused they’re a gaping hole in security. Used correctly, they’re harder to manage than the password itself.

    Almost anything you’ll really remember can be found by someone. I make up nonsense answers, so I don’t need custom questions– though I can see how that would help. But now I have to keep the questions *and* the answers in my password database *with* my password!

    I would have undying loyalty to any site that would include a checkbox in the registration process that says “I’m an adult, I can keep track of my password.” Security questions? Security questions? We don’t need no stinkin’ security questions!