Why do they do this?
It’s a cheaper way to do account recovery
PASSWORD SECURITY ANSWER
Complexity often “enforced” by
Often a word or name
Users are told to keep passwords
Security answers available on
Attempts to train users not to share
passwords between sites
Security questions are common
STORAGE Should be salted and hashed
Can’t salt/hash if need to do fuzzy
—OWASP, “Choosing and Using Security Questions Cheat Sheet”
solution as palatable
• Answering security questions is rarely optional
• Many recommend answering the questions with jibberish
• Many users don’t realize they can (or should) make up answers
• Security questions often eliminate better methods for account recovery
• We aren’t trying to solve this problem just for security professionals!
Context is important
Must be truthful
Must be truthful
Make something up
Looking up the answer
What is your mother’s maiden name?
What is your oldest sibling’s birthday month and year?
What high school did you attend?
What school did you attend for sixth grade?
What was the last name of your third grade teacher?
What was your childhood phone number?
What hospital were you born in?
And, of course…
But if you need to guess…
First name Favorite team Family name
First/favorite petColor of ﬁrst car
Some questions are just bad!
• “What is your favorite season?” (eDisclosure/SouthTech Systems)
Only 4 choices, unless you include “football”, “strawberry”, etc.
• “Who is the ﬁrst president you voted for?” (California DMV)
Very limited choices, especially if approximate age of user known
• “What is the year in which you were married? (YYYY)” (Fidelity Investments)
Easy to guess, especially if user is young
False negatives, too
• Many questions have more than one “right” answer:
• “What is the last name of your childhood best friend?”
• “What is your favorite color?”
• “What is the name of a college you applied to but didn’t attend?”
• Many questions have ambiguous formatting, difﬁcult to canonicalize:
• (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167
• West Maple Street vs. W. Maple St.
• Throttling strategies need to accommodate guessing by the intended user as
well as by attackers
What to do?
• Challenge questions might have some role in nuisance limitation
• Example: Challenging user prior to sending password reset email
• Choose questions that have deterministic, hashable answers
• Don’t expect any real security, even when multiple questions are asked
• Consider insider threats, e.g., disgruntled ex-spouses
• M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability
assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM,
• Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on
Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography.
• Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies,
and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In
Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World
Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150.
• OWASP, Choosing and Using Security Questions Cheat Sheet
• Insecurity Questions blog, https://insecurityq.wordpress.com