We are bombarded daily with new password requirements. We have userids and passwords for everything and trying to remember them is difficult. We create little schemes to remember the passwords incrementing or decrementing a number somewhere within the password. We download userid and password safes to store them yet we need another userid and password to access the password safe. In order to make it easy for us to remember the myriad of credentials we need to access this application and that tool, companies have provided series of questions; ‘secret’ questions that we need to choose from – at least two from the list provided. This serves to reduce help desk calls for the company while making it easy for us to remember and retrieve our userid and password. A recent study, which I find to be quite ludicrous (we always seem to spend money in the U.S. on proving the obvious), researchers discovered the following:
“In research to be presented at the IEEE Symposium on Security and Privacy this week, researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question. - http://www.technologyreview.com/web/22662/ ”
The types of questions we are asked to help us remember (challenge response enrollment process):
· Where did you spend most of your youth?
· What was the name of your first pet?
· What was the name of the street you grew up on?
· What is the name of your favorite school teacher?
· What is the name of the fist school you attended?
· What is your first car’s color and model?
· In what city was your father born?
· What is your father’s middle name?
· What is your mother’s maiden name?
· In what city were you born?
· In what city was your mother born?
· What is your favorite movie of all time?
· What is the first and last name of your first best friend?
· What is your favorite color?
· What is your favorite sports team?
· What is your favorite food?
· What is the first and last name of your best man or maid of honor?
· What is your favorite place to visit?
· Who is your favorite actor, musician or artist?
· What street did you live on when you were in the 3rd grade?
· What school did you attend in the 7th grade?
· What is the first name of your favorite childhood friend?
· What is the first phone number you remember?
And so on… Some of these questions and their answers I need to enter into my password safe since I certainly will not remember how I answered. What really vexes me is what will I do when I forget the userid and password to my password safe?You do not need to guess these and why spend money researching the obvious. All you need to do is visit Facebook, MySpace, LinkedIn, and many of the other social networking sites to gather this information. These sites are being mined for information on a daily basis by criminal elements, by lawyers during divorce proceedings and by prospective employers during the interview process. Guess if you want but why bother – we give the info away for free and if you forget how you answered during the challenge response enrollment, just go to your own Facebook page…
We have two other factors to use to make this work. Economics dictate the path of least resistance relative to cost. Don't use the same factor more than once and use another, different factor. Multiple iterations of the same factor (espcially the easiest one to expose) is not strong authentication. All this serves to do is provide those with malicious intent and opportunity to learn more about you. The technology is there and in use with many firms and has been for years. I guess I thought that was obvious as well.
Follow me on Twitter http://twitter.com/jsbardin
How does the title of your lament relate to the body? Apparently, you are saying the research is either obvious or pointless. However, the text you write is both obvious and pointless. If you want to contribute - solve the problem instead of joining the crowd saying "passwords / PINs are bad authentication schemes."
Or worse, if you mean to say "why raise awareness by pointing out problems that are obvious to security people." Because, after all, only security people use passwords to protect sensitive information and information like this couldn't possibly make a soundbite in a article or perhaps 30 seconds on a slow news day....
If the latter was your intent - then again provide a solution. What is non-pointless research into breaking the human element of security? Because getting access to data is getting access to data - whether via the human element or an elegant technical attack makes no difference.
You've got a thermometer and have to use it to find the height of the building - do you measure the shadows and do a ratio or do you tell the security guard, "tell me how tall this building is and I'll give you this thermometer?"
The bad guys don't like working any more than the good guys do. Simple is better.
I guess you are right. I needed someone to verify that the challenge response questions could be guessed by my friends and family at least 28% of them (How many is that out of 6?). It really hurts that all 6 couldn't get the right answers (especially my wife)!!
Follow me on Twitter http://twitter.com/jsbardin
As a security professional, I find it very useful nearly always to have quantified data (such as the statistics promised in this report) rather than the anecdotes tossed around by other "security professionals" at should-be professional gatherings and presentations.
The latter definitely constitutes wasted time and money (mine, paid to hear rumors and guesses with no way to confirm any of the info).
Getting this data in the can once, and authoritatively, is quite useful and I'm glad they've done the work.
Post new comment