Security Questions: Not So Secure
Do you force your users to pick from a list of predefined security questions?
Who is my favorite singer? I don’t have one, and even if I did, tastes change over time. What was the name of my first dog? His name was Rex. That was your guess number one anyway. In what hospital was I born? I don’t know, and I would probably make a transliteration mistake because we Russians use an alphabet of 33 letters with a few sounds that you will not find in English.
These questions are also a huge security concern. Your friends may know what books you read, what music you listen to, what movies you watch… they may have even watched these movies with you. We should not worry about discussing this online just because some developers decided that only you know in which city you were born. This is not private information, so it’s not really a “security” question.
Another problem with questions like my mother’s maiden name is that once a site stores it in plain text, it becomes a buffet for anyone who wants to hack all my accounts. Most sites use these cliché questions, so once they hacked one, they may be able to hack them all.
Solution
- Do not predefine questions. Allow the user to write their own. Allow unicode so they may use a different language. If you’re afraid that some beginners won’t know what questions to write, give them a non-cliché example. Explain that their friends should not know the answer.
- Do not store answers in plain text. Salt and hash the answers before storing. Chances are that your user has the same questions on other sites. Do the Internet a favor.
It’s a nice idea to point out that we must not store these values in plain text!
I would like also to add that the “bottom line security of an account” must be not defined by the security question. If you can reset a password, just by knowing one or two security question, without anything else, then the security question become the same importance as the password.
Then, why not just call it a backup password?
The better use I see of security question is to initiate a password request change by email or by another means of authentification. That way, the protection that offers the security question is limited to not annoy the user if its email is secure and to not compromise its account if the same email is compromised.
That is indeed a very good way to view security questions!