You know that thing that companies do when you set up an online account, asking you to name your favorite food and your high-school mascot as a way to recover your password later, or verify your identity if something sus is going on?
1/
1/
They& #39;re called "challenge questions" and they don& #39;t work.
That& #39;s the conclusion a group of Google security researchers and my EFF colleague Joseph Bonneau reached through a set of careful - and devastating - experiments.
https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43783.pdf
2/">https://static.googleusercontent.com/media/res...
That& #39;s the conclusion a group of Google security researchers and my EFF colleague Joseph Bonneau reached through a set of careful - and devastating - experiments.
https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43783.pdf
2/">https://static.googleusercontent.com/media/res...
Not only are the answers to these questions pretty easy for attackers to guess or research (your mother& #39;s maiden name is a matter of public record and your favorite food is "pizza"), but actual users really struggle to remember their answers.
3/
3/
Topline findings:
* "37% admitted to providing fake answers in an attempt to make them & #39;harder to guess& #39; although on aggregate this behavior had the opposite effect"
* "40% of users were unable to recall their answers when needed."
4/
* "37% admitted to providing fake answers in an attempt to make them & #39;harder to guess& #39; although on aggregate this behavior had the opposite effect"
* "40% of users were unable to recall their answers when needed."
4/
* "Questions that are potentially the most secure (e.g what is your firstphone number) are also the ones with the worst memorability."
* "It appears next to impossible to find secret questions that are both secure and memorable."
5/
* "It appears next to impossible to find secret questions that are both secure and memorable."
5/
I treat these questions as secondary passwords and use password generators to come up with strong, long passwords for them, managing them in a password manager (so much for memorable). Even this has an unexpected failure mode!
6/
6/
My small credit union& #39;s site requires you to come up with several of these questions at signup time: favorite movie, high school mascot, etc. You can answer from a list, or you can fill in our own. I did the latter, giving answers like "OWX~kMy!& #39;(T;DkLwmBjrDs."
7/
7/
What I didn& #39;t know was that the challenge questions are presented as MULTIPLE CHOICE! So here& #39;s how it looks:
8/
8/
WHAT IS YOUR FAVORITE ANIMAL?
[ ] BIRD
[ ] FISH
[ ] TURTLE
[ ] DOG
[ ] PIG
[ ] RABBIT
[ ] SNAKE
[ ] OWX~kMy!& #39;(T;DkLwmBjrDs
[ ] CAT
[ ] FOX
9/
[ ] BIRD
[ ] FISH
[ ] TURTLE
[ ] DOG
[ ] PIG
[ ] RABBIT
[ ] SNAKE
[ ] OWX~kMy!& #39;(T;DkLwmBjrDs
[ ] CAT
[ ] FOX
9/
So much for my high-security, hard-to-guess alternative.
eof/
eof/