Top Banner
“Security” Questions Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
15

Security Questions Considered Harmful

Apr 16, 2017

Download

Technology

Jim Fenton
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security Questions Considered Harmful

“Security” QuestionsConsidered Harmful

Passwords 2015 Las Vegas Jim Fenton @jimfenton

Page 2: Security Questions Considered Harmful

Everyone has seen this

Page 3: Security Questions Considered Harmful

Why do they do this?

It’s a cheaper way to do account recovery

Page 4: Security Questions Considered Harmful

Characteristics

PASSWORD SECURITY ANSWER

COMPLEXITY Complexity often “enforced” by complex rules Often a word or name

SECRECY Users are told to keep passwords secret

Security answers available on Facebook, Ancestry…(OPM?)

SHARING Attempts to train users not to share passwords between sites

Security questions are common between sites

STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching

Page 5: Security Questions Considered Harmful

Best Practices?

—OWASP, “Choosing and Using Security Questions Cheat Sheet”https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet

“…make the Forgot Password

solution as palatable as possible”

Page 6: Security Questions Considered Harmful

But, to be fair…

—OWASP

Page 7: Security Questions Considered Harmful

Opting out• Answering security questions is rarely optional

• Many recommend answering the questions with jibberish

• Many users don’t realize they can (or should) make up answers

• Security questions often eliminate better methods for account recovery

• We aren’t trying to solve this problem just for security professionals!

Page 8: Security Questions Considered Harmful

}

}}

8

Context is important

Must be truthful

Must be truthful

Make something up

Page 9: Security Questions Considered Harmful

Looking up the answer

What is your mother’s maiden name?What is your oldest sibling’s birthday month and year?

What high school did you attend? What school did you attend for sixth grade?

What was the last name of your third grade teacher? What was your childhood phone number?

What hospital were you born in?And, of course…

Page 10: Security Questions Considered Harmful

But if you need to guess…

First name Favorite team Family name

First/favorite petColor of first carStreet names

(by state)

Page 11: Security Questions Considered Harmful

Some questions are just bad!

• “What is your favorite season?” (eDisclosure/SouthTech Systems) Only 4 choices, unless you include “football”, “strawberry”, etc.

• “Who is the first president you voted for?” (California DMV) Very limited choices, especially if approximate age of user known

• “What is the year in which you were married? (YYYY)” (Fidelity Investments) Easy to guess, especially if user is young

Page 12: Security Questions Considered Harmful

False negatives, too• Many questions have more than one “right” answer:

• “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?”

• Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St.

• Throttling strategies need to accommodate guessing by the intended user as well as by attackers

Page 13: Security Questions Considered Harmful

What to do?

• Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email

• Choose questions that have deterministic, hashable answers

• Don’t expect any real security, even when multiple questions are asked

• Consider insider threats, e.g., disgruntled ex-spouses

Page 14: Security Questions Considered Harmful

References• M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability

assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009.

• Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain.

• Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150.

• OWASP, Choosing and Using Security Questions Cheat Sheet https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet

• Insecurity Questions blog, https://insecurityq.wordpress.com

Page 15: Security Questions Considered Harmful

Thank you!

(No, it’s not)