[PLUG-TALK] Challenge Question Authentication Holy S***!

Keith Lofstrom keithl at kl-ic.com
Mon Apr 4 06:10:04 UTC 2016


Read an old paper: "Designing Authentication Systems with
Challenge Questions" by Mike Just, and realized, holy s***,
these represent a huge security risk if used as intended.

The problem is, most websites use the same short list of
security questions, like "what was the name of your first
pet?" and "what was the name of your elementary school?"

I used to think the main problem with challenge questions
is that in the age of Facebook and Twitter and blogging,
true answers to common personal questions are public
knowledge, hence easy to guess answers for.

I answer such questions with nonsense phrases, and keep
a hidden list for every site.  Now that you know that,
a $20 pipe wrench gets you my nonsense phrases. 
However, I imagine naive or lazy users pick the same
subset of questions and use the same answers every time.

Imagine that Eve sets up a website "Bonusplus" with some
attractive offer (Today Only!  Free Pipe Wrench!  $20 
Value!  Sign up NOW!!!) and uses the same security
question list as Gmail.  Bozo Bob signs up for the
website, picks the set of questions he is familiar with,
and gives the answers he is used to giving.  Even if Bob
is half clever, and uses patterned nonsense answers like
"bns bromine", Eve can guess that his answer to a
similar Gmail authentication question is "ggl iron"
or "gml germanium" (see note).  Most people are more
robotic than Bob, and their answers are easier to guess.

The point is, given a very small set of common questions,
close approximations of the answers can be harvested by
the bad guys. An automated search for a functional answer
is much smaller than these "security" systems presume.

The best authentication solution I can come up with is
hiring people who are very good at remembering faces
and people, then setting up "authentication offices" in
thousands of cities, where individuals can authenticate
themselve and their passwords, face to face.

Banks could offer this as a service to their customers;
most already do for their own products.  They could also
offer password training classes.  They have much to lose
if their customers are defrauded.  At one of my banks,
I show up twice a year, yet the small staff greets me by
name.  Talented and trained people can be good at this.

Keith

(note)  Your puzzle for the day: what is Bozo Bob's
memorizable algorithm?  

-- 
Keith Lofstrom          keithl at keithl.com



More information about the PLUG-talk mailing list