Time to Kill Security Questions—or Answer Them With Lies
The notion of using robust, random passwords has become all but mainstream—by now anyone with an inkling of security sense knows that “password1” and “1234567” aren’t doing them any favors. But even as password security improves, there’s something even more problematic that underlies them: security questions.
Last week Yahoo revealed that it had been massively hacked, with at least 500 million of its users’ data compromised by state sponsored intruders. And included in the company’s list of breached data weren’t just the usual hashed passwords and email addresses, but the security questions and answers that victims had chosen as a backup means of resetting their passwords—supposedly secret information like your favorite place to vacation or the street you grew up on. Yahoo’s data debacle highlights how those innocuous-seeming questions remain a weak link in our online authentication systems. Ask the security community about security questions, and they’ll tell you that they should be abolished—and that until they are, you should never answer them honestly.
From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They’re meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won’t forget your mother’s maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet’s name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.
Please Reset Your Mother’s Maiden Name
All of that has led security experts to advocate their demise. “I would like to see this practice go away,” says Jim Fenton, an identity privacy and security consultant who runs the blog Insecurity Questions. “If passwords are vulnerable why are security questions somehow so special that they live on forever?” Fenton points out that every new data breach reveals more personal information that can make guessing the answers to security questions easier, or simply allow hackers to reuse leaked security answer questions to access another service. “Attackers are getting broader and broader information all of the time about users by aggregating all these different leaks,” he says.
“Sorry, but if you have a Yahoo account, you will need to find a new mother, and have grown up on a different street,” University of Pennsylvania computer scientist Matt Blaze quipped on Twitter after Yahoo’s data breach announcement. Security question and answer reuse between sites, he added, “means that data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”
Even the federal government is ready to kibosh security questions. In July, the National Institute of Standards and Technology released a draft of its new proposed Digital Authentication Guideline, and whereas the previous revision listed “pre-registered knowledge tokens,” or security questions, as a recommended authentication technique, the new draft eliminates any mention of such measures. NIST, in other words, no longer endorses security questions as a measure for protecting federal accounts. Even Yahoo itself, which is offering tools for securing user accounts in light of its breach, now specifically notes, “To secure your account, we recommend that you disable your security questions.”
In a 2015 paper, two Google security researchers analyzed the weaknesses of the approach and concluded, “Secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.” Long before the study even came out, Google was phasing out security questions and requiring users to set up SMS text messages and back-up email addresses to initiate recovery of an account.
No Quick Fix
The transition away from security questions, however, won’t be easy. Companies need to implement alternative contingency solutions like sending password reset instructions to a back-up email address, requiring that users produce a physical authentication dongle, or using real-time generated codes from a secure authentication app. And things get convoluted because even something like sending SMS texts to a predetermined number, a popular current alternative to security questions, has security problems of its own. Jeffrey Goldberg, a product security officer at AgileBits—the security company that makes the popular password manager 1Password—says that all of that makes the problem tough to fix. “(In)security questions are terrible,” he writes in an email. “It is easy to talk about the horrible security hole that [they] create, but it is harder to offer an alternative.”
But NIST senior standards and technology advisor Paul Grassi, who works on the standards revisions, believes that there are enough alternatives to security questions available that they can be phased out, even for the federal government. “We recognize that there’s not one-size-fits-all,” he says. “So hopefully we’re moving toward a model where agencies issue many things. You want Google Prompts? Go for it. You want U2F? Go for it. You want something written on a piece of paper that we mail to you? Go for it.”
Popular web services are trying to move from security questions to those superior options, but are at different phases of the transition. Most prominently display a “Forgot your password?” link on their login pages that direct users to password-changing tools. But to change security questions themselves you have to hunt through the account options. Twitter doesn’t appear to use security questions at all for account recovery. Facebook will only offer security questions as a last resort when a user indicates that they no longer have access to the backup email addresses or phone numbers they set up previously. But Facebook doesn’t allow users to ever update or improve their questions. Same goes for Amazon Payments. And many banks like Bank of America, TD Bank, and Fidelity, still rely heavily on security questions as an account recovery technique.
My First Car Was a Y^i72b(lV$
Since security questions aren’t going away any time soon, there are steps you can take to strengthen yours in the meantime—at least for some services. The best way to make security answers more robust is to lie in your answers, and ideally use a random string of characters as the answer instead of submitting any meaningful information. That way, even if a question addresses an obscure life detail that you’re confident a hacker couldn’t find out about you, you’re still not revealing answers that could be compromised in a breach.
In an age of frequent data data breaches, your mother’s maiden name should probably be 4tz9Ru#p and your childhood best friend b2p^fqw. https://t.co/PJ8hmLISa4
— Christopher Soghoian (@csoghoian) September 23, 2016
Why the answers to my security questions are not real answers, strong, and unique. Treat it like a password. https://t.co/rTlslLBfap
— Whitney Merrill (@wbm312) September 23, 2016
Of course, this approach makes security answers virtually impossible to remember in contrast to truthful personal facts, which we effortlessly retain. That’s why you should rely on using a password manager to not only store strong randomly generated passwords, but to store your security answers as well.
If you’ve taken the time to add as many accounts as possible to a password manager and randomize all the passwords, you know that this is a doable but long-term project. Even at maximum efficiency, it takes a minute or two to reset a password, add a new one, and ensure that the random string of characters is correctly saved in your password manager. The average U.S. user has more than 100 digital accounts linked to their primary email address, so to randomize every security question when the mechanisms aren’t always easily available remains a slog. Insecurity Questions’ Fenton suggests focusing on changing the security answers on accounts that contain your most sensitive data like your email, financial, and medical accounts. And even if you’re someone who doesn’t have a password manager up and running, you can still start using one to keep track of security answers. “You should have unique passwords for each site and service and you should have unique answers to security questions, and a password manager is the way to do that,” says AgileBits’ Goldberg. “But that’s not an all-or nothing statement. You can just start by deciding to put [some] security answers into a password manager. You don’t have to do the impossible.”
Security questions can be reasonably protective if you use them as essentially a second, strong password. But online services have trained users to enter deeply insecure security answers for years, and changing won’t be easy. It’s well past time, though, to move away from a system that’s at best only as robust as passwords, and at worst turns your dead hamster’s name into a dangerous security flaw.