login      my ps      about      contact  



home instructor-led training online training blogs


Security Briefs » Security questions considered dangerous

Security questions considered dangerous

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

As I'm wrapping up the security chapter for Essential ASP.NET 2.0, I'm putting together some guidance for using SqlMembershipProvider. One of the things that really bothers me about this class is the ease of which one can reset a users password by answering a single question that the user specifies when creating her account. There's nothing stopping the user from asking a question that is easily answered by a 6 year old:

What's 2 plus 2?

Or even a question that's easily answered given some public knowledge about the user:

What street do you live on?

Or something you could easily find out from a user by asking her:

What's your favorite color? What's the name of your dog?

I find it ironic that SqlMembershipProvider goes to great lengths to allow you to control password complexity, and yet still allows that password to be reset with a simple question/answer challenge. Sure, you can turn off the password reset feature, but that's not necessarily optimal either. What would be great is if we could replace the question/answer challenge with something better, for example, the system proposed in Building Secure Software by Viega & McGraw. In Viega's solution, the user doesn't get to write the questions - the system designer comes up with a long list of questions, asking the user to pick M questions and supply answers. Then at password reset time, we randomly choose N of those questions and ask the user to answer at least P questions from that list. M, N, and P would be variables you control based on your security posture (risk tolerance versus ease of use).

PayPal, for example, follows this procedure:

1) You must choose an email address that PayPal already has on file for you. Password reset instructions are sent to this email. The form includes CAPTCHA to detect bots.

2) Once you get the email, you must click through a link to access the password reset page. As with virtually all pages at PayPal, this runs over HTTPS.

3) The password reset page asks you to choose from several categories. You can either verify your full credit card number, your bank account number (if you've linked a bank account), or you can answer a couple of security questions.

PayPal currently offers four security questions, and you must supply answers to two of them. The questions they offer are as follows:

Mother's maiden name, last 4 chars of drivers license, last 4 numbers of SSN, city of birth

I'm curious how others are automating password resets. It's an important feature, as password reset is one of the top reasons people call a help desk, but it's also a tough problem to solve.

Posted May 24 2006, 06:03 AM by keith-brown
Filed under: , ,

Comments

paulb wrote re: Security questions considered dangerous
on 05-24-2006 6:49 AM
The biggest problem is that the reset method is an abstract method of the membershipprovider base class. So most implementations will probably support this, since you have to implement the method.
Tales from the Crypto wrote Security questions considered dangerous
on 05-24-2006 9:45 AM
Keith Brown expresses concern over the security questions people ask themselves for password reset, and...
Norman Diamond wrote re: Security questions considered dangerous
on 05-24-2006 5:02 PM
> Once you get the email, you must click
> through a link to access the password reset
> page.

Are you serious? No wonder people find mail messages believable when the mail pretended to come from PayPal and contains links which pretend to be PayPal sites.
Jason Haley wrote Interesting Finds: May 24, 2006 PM edition
on 05-24-2006 6:17 PM
Paul Laudeman wrote Password reset challenge questions: More trouble than they are worth?
on 06-07-2006 7:44 PM
Keith Brown states that password “security questions are considered dangerous” in the context...
Garry wrote re: Security questions considered dangerous
on 11-17-2007 3:38 PM
Some questions pose more serious threats than others and some can be quite difficult to decipher or crack. I have a list of good and bad questions at http://www.goodsecurityquestions.com/about.htm.
York wrote re: Security questions considered dangerous
on 02-27-2008 7:48 AM
As challenge questions with our <a href="http://www.scriptlogic.com/products/password-self-service">password reset</a> solution we use a set of 3 or 5 questions like, for example: "What are the last 5 digits of your driver's license number ?", "In what city did you meet your spouse ?", "What is your youngest brother’s/sister's birthday ?".
I think the main requirement for these questions should be high memorability and making them too complex to be guessed by strangers.
By the way, for anyone who is still thinking about using a self-service password reset solution - I strongly recommend you to do it. Since we implemented password reset by the linked above desktop authority password self service our helpdesk staff have had a chance to take a breather without constant password related calls and requests.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation