The Insecurity of Security Questions: Why I met my wife in CWmKryWzuxCSAnMDuIg.

Posted on
Tags: security, passwords

Via Dare Obasanjo’s blog, I learned that the much-publicized cracking of Sarah Palin’s Yahoo! email accounts was accomplished by exploiting the weakness of “security questions”. In short, all the attacker needed to do to convince Yahoo’s computers that he was Palin was answer three questions as if he were Palin:

The attacker says he obtained the answers to these questions in less than an hour. Everything he needed was already public knowledge, and Google and Wikipedia made that knowledge easy to find.

And that’s why, when I sign up for web sites that ask me to provide baseline answers for those annoying security questions, I claim that I met my spouse in CWmKryWzuxCSAnMDuIg. What? You’ve never been there? Well, that’s not surprising. It’s not a real place: it’s a password, randomly generated, and remembered for me by password-management software on my computer.

That’s right. Every time I’m asked to establish my “secret” answer to a security question, I generate a random string and use that. Here’s a script I use:

Then I store the string in my password-management software, just in case the web site asks me for it later. Which should only happen if I forget my primary password for that site. Which should only happen if I can’t get into my password-management software. Which should only happen if I’m totally screwed, anyway, so what are the security questions buying me again?

In sum, if you care about your security, you’re probably picking good passwords already. In that case, security questions can’t help you, but they can harm you by making it easier for an attacker bypass your passwords. That’s how the Palin-email cracker did it. So treat your answers to security questions as if they were passwords – in effect, that’s what they are.