In the beginning there was the password and life was good. Eventually people started to forget their passwords and needed help from another person. Everyone likes to help out their fellow person, but when many people are asking several times a day, this reduces the production of the helper and becomes costly for the company. Nowadays, companies have a mechanism in place to allow users to perform their own password resets – Self Service Password Management. One of the methods is to have users answer one or more “challenge questions” before they forget their password. The next time they forget the password the user can authenticate with one or more of the “challenge questions” in lieu of the password. Once authenticated with the correct answers to the question(s) a new password can be set and no one except the end user was involved in the process.
Challenge questions and answers can also be used to authenticate a user, either on their own or in combination with the password.
Just like passwords, the answers you choose really should be carefully selected. A proper answer to a challenge question is one that the user won’t easily forget and a “bad guy” won’t be able to determine through research or guessing.
“Never use any of the following for passwords or password reset challenge answers
- common words, dictionary words, phone numbers, sequences of numbers
- name of family member, favorite color, drink, song, performer, pet name, car brand, any information that is publicly available: Think Facebook, LinkedIn, Twitter “ 1
“The Question and Answer Challenge is an easy way to help combat spam from both bots and humans. For bots you can just create a question that a computer would have trouble understanding. For humans you can create a question that may be unique to your community’s subject matter that most people might not immediately know. Keep in mind a spammer isn’t going to bother searching for the answer: they will just move on.” 2
Administrators can help facilitate proper answers by asking the right question(s). The answers to questions should not be easily researched, for example: “What was your favorite present as a kid?” It wouldn’t take an intruder long to run through a list of the more popular children’s toys.
“Most websites that register users, use some form of security questions. But my experience is few websites use GOOD security questions. Reality is, there are no GOOD security questions, but these ideas present the best that is available.
Good security questions have four common characteristics. The answer to a good security question:
- cannot be easily guessed or researched (safe),
- doesn’t change over time (stable),
- is memorable,
- is definitive or simple.
It’s difficult to create questions that meet all four characteristics which means that some questions are good, some fair, and the remaining are poor.
The most important characteristic of a good security question is security – it does not compromise the very thing it is trying to protect. A good security question would have answers that are not easy to guess or decipher and thus block unauthorized access to the account.
Good security questions meet a number of specific requirements and have high entropy. In general, this means that the number of possible answers is very high and that the probability of selecting any one specific answer is very low. When you create high entropy-based questions, only the authorized user is likely to provide the correct answers.
- The answer cannot be found through research (mother’s maiden name, birth date, first or last name, social security number, phone number, address, pet’s name)
- The question has many possible answers where the probability of guessing the correct answer is low
- Answers are unlikely to be known by others such as a family member, close friend, relative, ex-spouse, or significant other.
- What is your address?
- What is your phone number?
- What is your mother’s maiden name?
- What was your dream job as a child?
- What is the first name of the boy or girl that you first kissed?
A good security question will not work for all people and most good questions still have some flaws. Therefore, it is best to offer 2-3 sets of questions (more if data is more sensitive) with a variety of questions. I recommend offering 15 questions in each of three sets. You would need to eliminate the selected question from the first question for the subsequent question groups.”3
Additional concerns around choosing a secure answer to a challenge question include:
1. Limited available questions
2. User information readily available on social websites
3. Hard to guess, but easy to remember answers
There is a limited pool of secret questions that most Knowledge-Based Authentication systems use and many of the questions have a limited amount of potential responses, such as “What is your favorite color?” If someone researches you and discovers the answers for your questions, they could gain unauthorized access to your account.
The ability for someone to guess the response to a user’s secret question has greatly increased due to the large volume of information available on the Internet. This was demonstrated during the recent presidential campaign, when one of the candidate’s email accounts was hacked into. The attacker was able to do so by conducting a minimal amount of research about the candidate using information found on the Internet to answer the secret questions and get the password for the email account.
Users need to be aware that there is a tremendous amount of information available about them, not only through Internet search engines, but also social networking profiles and other sources.
As with the design of a regular password, the responses to secret questions should be something that is hard to guess, but easy to remember. Users are encouraged to not provide the technically correct response to the question. Similar to developing a strong password, the response to a secret question is in effect a password and thus should have the same protections. The use of a combination of upper and lower case letters, special characters and numbers is recommended. There are many ways to obfuscate your response. The key is to develop a methodology that is easy for you to remember but difficult for someone else, even someone you know, to guess. Some examples are:
- Begin and/or end each response with a number, capitalize a letter and use a special character. For example, the response to your mother’s maiden name of “Smith” would be “44SmitH!” OR Insert a number and special character in the middle of the word. In this example the response to your mother’s maiden name of “Smith” would be “Smi44!th.”
- Provide answers that do not correspond to the question, thus making it difficult for an attacker to correctly guess. For example, a user may use the name of a city as the response for “mother’s maiden name.”
- Use the question itself to create an easy-to-remember passphrase. By combining the main part of the question with one of your favorite catchwords, you can create a passphrase they can remember. If the question is asking for your favorite sports team, you can combine “Sports Team” from the question and combine it with a phrase from your favorite show, such as “CSI.” Their answer is, “Sports Team CSI.”
- Follow best practices for strong passwords when developing your responses, such as making it at least 8 characters long and using numbers, upper and lower case letters, and special characters. The answers can be different on different websites, even if the same secret question is used. Thus a hacker won’t potentially have access to other accounts if one is compromised.
- As with passwords, do not share the responses to your Challenge or Secret Questions, or your methodology for developing them, with anyone.
It is also advised to periodically search your name in an Internet search engine so you are aware of what information about you is freely accessible on the Internet.4
Hopefully the information presented in this article will help you to feel more confident when using challenge questions. You may even want to double check any resources that are currently protected by challenge questions.