Insecurity: Bad Secret Questions and Information Disclosure

It’s a little known fact that most websites have a backdoor that can get you access in other people’s accounts – weak secret questions! Ok, so maybe it’s not a back door as such, but the threat is so high that for some websites it might as well be. Let me explain…

Even though everyone with even the slightest understanding of computer security knows that strong passwords are essential, we continue to see the masses use things like ‘password’, ‘abc123’, and ‘qwerty’. In fact just this week I found an airport internet kiosk whose admin panel had the password ‘12345’… oops. Nevertheless, if someone wants to break into your account, they’ll be fairly stumped if you do use a decent password (unless they want to risk throwing a brute force attack against the site).

Attackers are lazy and will follow the path of least resistance to reach their goal. Although it is a fairly targeted attack, the ‘Forgotten Password’ functionality is the weakest link on many websites, as they only require a weak answer (usually one name/word) to common or obvious questions. So, what’s the point of using a good password like [email protected](0P*[email protected]#s3; if your answer to “What is your hometown?” is something as simple as: London? Admittedly, a website that uses just one’s hometown as the secret question should be shot, but the same principle applies to many other questions. If they can’t be guessed they can be discovered.

As social networking continues to grow, more and more people are getting comfortable with sharing information online. I don’t understand why banks persist on relying on your Mother’s Maiden Name, when this piece of information is becoming increasingly easy to obtain (especially in families using hyphenated names). Your home address can probably be obtained from a phone book, council/tax records, or from people naive enough to use location-aware services (eg. 4sq, Facebook) to ‘check-in’ to their own house.

So, what’s the inherent problem with secret question mechanisms?

• Secret questions are usually weak (see below)
• To compound the issue, and ‘simplify’ things for users who have ‘forgotten’ their passwords, the answers are often converted to all uppercase or lowercase. So if you try to be secure and set LoNDoN as your hometown… it’ll just become plain old ‘london‘ anyway
• Most websites do not limit the number of times you can attempt to answer a secret question within a given timeframe, thus allowing an attacker to try as many answers as he likes (and even carry out brute-force attacks)
• After successfully answering a secret question, many websites either allow the user to set a new password there and then, and gain access to the application
• To top it off, some websites don’t even send the user an email when their password has been changed

I like to focus on five ‘classes’ of secret questions, each with their own problems.

1. Questions with a very limited set of answers: These are questions whose answers are not unique to the user. Many sites still use “What is your favorite color?” The vast majority of people will use red, blue, green, yellow, or black. Some may be artistic and put something in like maroon. Either way the subset of usable answers is pretty limited.
2. ‘Personal’ details: Supposedly personal information such as mother’s maiden name, address or date of birth. I find that this category is rapidly merging into category 3 below, as information becomes more readily available online.
3. Discoverable questions: things that can either be found online, or surreptitiously extracted from you, your family, or your friends, eg. father’s middle name, name of first girlfriend, name of high school, etc.
4. Custom questions: This is when you’re allowed to set your own question to yourself. The theory is that you’ll pick a question that only you know the answer to. Only problem is that people will usually come up with a question that falls under categories 1 or 3. “Memorable Date” is a good one to use, as long as it’s something fairly obscure that you’re probably not going to accidentally reveal (nobody’s birthdate, anniversary, etc).
5. Dynamic questions: These are questions for which you’ve never provided an answer, but that only you (in theory) should be able to answer. For example: Date of last bill (service companies). Some companies (very few) use these to make the questions more unique to the user. Unfortunately some of these are also weak.

You’re Doing it Wrong

The security questions you pick could make the difference. Your favorite color and home town can probably be guessed, and if they can’t, you may be revealing that information anyway.

By searching for someone in a search engine, browsing their Facebook profile, or accessing other public sources of information, it is now increasingly easy to gather a lot of information about who they are, where they are, where they’ve been, what they do, who they know, what they like, what they don’t… the list goes on. This is a goldmine of information that could be used to answer relatively simple secret questions, and even carry out sophisticated social engineering attacks.

The concept of oversharing has become increasingly popular as people have posted increasingly stupid amounts of personal information online (and allowing anyone to see it). This week a hacker was convicted of hacking into the email accounts of over 230 women by abusing ‘Forgotten Password’ functionality, and finding the answers to their secret questions on their Facebook profiles.

Doing it Right

I don’t think there is a ‘right’ answer to this problem, however there are a few things you can do to protect yourself from secret question abuse. My primary recommendation would be, fairly obviously, don’t forget your password! You’re better off storing your passwords in a secure password storage program (eg. KeePassX). Whenever I’m prompted for an answer to a secret question, I throw something heavy on the keyboard a few times until I end up with something long and random enough. If you don’t plan on forgetting your password, then your answer should be even less guessable than your password.

If you are keen on retaining the use of secret questions, then consider using a simple codeword that you append to the beginning or end of any answer. Thus your hometown or favorite team become “crazyLondon” and “crazyYankees”. You can also write your answers backwards (eg. nodnol). Note that this is not by any means perfect, but it improves the security by vastly increasing the possible number of answers, and makes the response unguessable (even if the attacker knows the answer to the question). If you’re feeling really techy, you can hash your answer (using md5 or SHA-1).

Lastly, and perhaps most importantly, don’t overshare stuff on Facebook and other social networking sites. If you post your date of birth, address, hometown, telephone number, political affiliations, likes and dislikes online, chances are some of that information could eventually be used against you in some way (and I don’t mean just for secret questions).

What Can Websites Do?

If you’re a developer or run a website, you should obviously try and protect user accounts as much as possible. The following points, although not exhaustive, are my top recommendations for dealing with Forgotten Passwords:

1. Be smart, and try to pick non-obvious questions that do not have an overly limited set of answers
2. Require the users to choose and answer at least 5 secret questions. Give them the option to opt-out of secret questions if they’re willing to accept that risk
3. Users should initiate the forgotten password mechanism by providing their username and/or email address (which you should have)
4. The forgotten password page should always say an email has been sent, regardless of whether the supplied username/email is valid or not (to prevent username/email enumeration)
5. The user should be sent a unique link with the following properties:
   • The link should contain a long random value that is unique to the user
   • The link should be expired (server-side) after a set amount of time (eg. 24 hours)
   • Once the link has been used and the account recovered/password reset, the link should be invalidated
6. Limit the number of times a password reset link can be requested in a given timeframe (eg. twice in one week)
7. The unique link should take the user to a page where they must answer at least 3 consecutive secret questions
   • If you’re in a position where you can ask the user a good dynamic question, then do so. Facebook does this by requiring the user to name some of their friends via their photos.
8. Ask questions one after the other, so as to not disclose all questions at once to a potential attacker
9. This page should enforce a set limit of failed answer attempts (eg. 3) within a given time frame (eg. the 24 hour validity of the link)
10. The page should challenge the user with a captcha to prevent automated attacks
11. If the questions are successfully answered, the user is allowed to set a new password
12. Always send an email to the user to inform them if their password has been changed (the password should not be in the email)
13. User should be informed, upon login, of any failed Password Reset attempts. This serves to notify the user, whose email may have been intercepted and deleted by an attacker, that someone tried to reset their password