The Insecurity of Security Questions: Why I met my wife in CWmKryWzuxCSAnMDuIg.

Posted by Tom Moertel Fri, 19 Sep 2008 15:06:00 GMT

Via Dare Obasanjo’s blog, I learned that the much-publicized cracking of Sarah Palin’s Yahoo! email accounts was accomplished by exploiting the weakness of “security questions”. In short, all the attacker needed to do to convince Yahoo’s computers that he was Palin was answer three questions as if he were Palin:

  • What’s your birthday?
  • What’s your Zip code?
  • Where did you meet your spouse?

The attacker says he obtained the answers to these questions in less than an hour. Everything he needed was already public knowledge, and Google and Wikipedia made that knowledge easy to find.

And that’s why, when I sign up for web sites that ask me to provide baseline answers for those annoying security questions, I claim that I met my spouse in CWmKryWzuxCSAnMDuIg. What? You’ve never been there? Well, that’s not surprising. It’s not a real place: it’s a password, randomly generated, and remembered for me by password-management software on my computer.

That’s right. Every time I’m asked to establish my “secret” answer to a security question, I generate a random string and use that. Here’s a script I use:

#!/usr/bin/perl

use MIME::Base64;

open my $random, "/dev/urandom" 
    or die "can't open /dev/urandom";
my $bytes;
read $random, $bytes, 16;
close $random;

my $pw = encode_base64($bytes);
$pw =~ tr/A-Za-z0-9//cd;
print "$pw$/";

Then I store the string in my password-management software, just in case the web site asks me for it later. Which should only happen if I forget my primary password for that site. Which should only happen if I can’t get into my password-management software. Which should only happen if I’m totally screwed, anyway, so what are the security questions buying me again?

In sum, if you care about your security, you’re probably picking good passwords already. In that case, security questions can’t help you, but they can harm you by making it easier for an attacker bypass your passwords. That’s how the Palin-email cracker did it. So treat your answers to security questions as if they were passwords – in effect, that’s what they are.

Posted in
Tags ,
13 comments
no trackbacks
Reddit Delicious

Comments

Leave a response

  1. Charles Darke said about 2 hours later:

    Great post title!

    I do the same thing but don’t usually store the random string. I had to pay for this recently since I forgot the password and couldn’t reset it and in the end had to go through customer services.

    All sites really should stop using this technique.

  2. Bart said about 3 hours later:

    This is actually a good idea. I’ve always just used more obscure “forgot password” questions/answers that only people really close to me or myself would know but this is also a good solution

  3. Mark said about 6 hours later:

    Obviously she’s Welsh.

  4. none said about 13 hours later:

    I use Python for that:

    from hmac import HMAC as h

def site_password(name_of_site):
  return h(name_of_site).digest().encode('base64')[:8]

print site_password('yahoo.com')

    That means I don’t need password management software to juggle dozens of independently generated passwords, but there’s a master password that I have to be careful to keep secure and not lose.

    Looks like the markup for this site is messing up the python indentation and doesn’t like functions called “hmac”—you should be able to figure it out though.

    [I fixed the markup for you. —Tom]

  5. Common Sense said about 18 hours later:

    Good technique but you should upgrade the script so it’s not in a legacy language.

  6. t said 2 days later:

    > Then I store the string in my password-management software

    Out of curiosity, what is this?

  7. Tom Moertel said 3 days later:

    I’ve used PasswordSafe on Windows and various related password managers on Linux.

  8. Clemens Fruhwirth said 7 days later:

    I had a similar problem.

    http://passwordmaker.org/ solves it for me. It is a “standardized” password generation method based on a master password and the site name. It is implemented on Firefox (right click into the password field and select “Fill in password”), Opera, Stand-alone, Javascript, Command-Line, PHP, Mobile.

    To me it is the best implemented approach to this. Yes, Firefox still stores the passwords “PasswordMaker” generates, but if I’m not at home, I just go to passwordmaker.org and regenerate my password (entirely in javascript without talking to the server).

  9. askyle said 32 days later:

    @Common Sense (5): How exactly is Perl a ``legacy’’ language? Last time I checked it was still alive, kicking and underlying my undergraduate project ;)

  10. shandy said 137 days later:

    how can i edit my security question?

  11. Tom Moertel said 137 days later:

    @shandy: On most web sites, you can edit your security question(s) by logging in and editing your account preferences or user profile.

    Cheers,
    Tom

  12. another_none said 137 days later:

    “none”’s python code of comment #4 is missing an arg to the hmac function, which should be a secret string that the user remembers or writes down somewhere. The per-site passwords are then derived from that string and the site name. See the wikipedia article “key derivation function”.

  13. SF said 928 days later:

    If the account is important it can be a good idea to write down your password (or answer to the “security” question on a piece of paper and put it in a safe deposit box in your favourite bank)

Trackbacks

Use the following link to trackback from your own site:
http://blog.moertel.com/articles/trackback/816

RSS feed for this post trackback uri

(leave url/email »)

   Comment Markup Help Preview comment