password hints, security questions etc are a bad idea, reason #723

As I’ve said before, security questions, password hints etc are a really bad idea.

Today, I was on gap.com and forgot my password.  When you put in an email on their login page and click “I forgot my password” they show you your password hint.  You can put in any email address and find out their password hint this way.  This is a great way for hackers to figure out your password.  (How many people just use the password itself as their hint?  I bet a lot).

When I saw my own hint I put in a long time ago, I had to chuckle at my obnoxious former self :

picture-2

Bad trend of the week: security questions

I’ve noticed more and more websites ask you to enter answers to security questions like “what is your mother’s maiden name” or “where were you born”. This is a very bad trend. Here’s why:

1. Answers to security questions are far more easily guessed than passwords. e.g. Just guess the biggest US cities for “where were you born?”

2. Security questions are far more easily figured out by clever hackers. See e.g. “Messin’ with Texas, Deriving Mother’s Maiden Names Using Public Records.” V. Griffith and M. Jakobsson. ACNS ‘05, 2005 and CryptoBytes Winter ‘07. link to pdf
3. Every time you answer a question like “What city you were born?”, you spread that important piece of information more widely, thereby increasing the chance that a rogue employee or a data breach exposes valuable information about you. This is particularly bad when the same security questions are shared by sites with no real need for security (e.g. a casual game site) and sites with a strong need for security (e.g. your bank).

My advice next time you are asked for an answer to a security question is not to answer truthfully but instead use a “strong” password (”strong” means, roughly, 8 or more letters (with mixed case), numbers and perhaps if allowed symbols). So when they ask you what “City were you born?” answer “5ght11YT” or something, effectively turning their security question into a conventional password. And then I’d write that password down on a piece of paper (not on your computer).

Update:  David Weinberger has some other reasons security questions are dumb.