Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] The curse of the secret question

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] The curse of the secret question
Date: Thu, 10 Feb 2005 04:23:41 -0600 (CST) 
http://www.computerworld.com/securitytopics/security/story/0,10801,99628,00.html

Opinion by Bruce Schneier
Counterpane Internet Security Inc.
FEBRUARY 09, 2005 
COMPUTERWORLD

It's happened to all of us: We sign up for some online account, choose
a difficult-to-remember and hard-to-guess password, and are then
presented with a "secret question" to answer. Twenty years ago, there
was just one secret question: "What's your mother's maiden name?"  
Today, there are more: "What street did you grow up on?" "What's the
name of your first pet?" "What's your favorite color?" And so on.

The point of all these questions is the same: a backup password. If
you forget your password, the secret question can verify your identity
so you can choose another password or have the site e-mail your
current password to you. It's a great idea from a customer service
perspective -- a user is less likely to forget his first pet's name
than some random password -- but terrible for security. The answer to
the secret question is much easier to guess than a good password, and
the information is much more public. (I'll bet the name of my family's
first pet is in some database somewhere.) And even worse, everybody
seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a
much less secure protocol (secret questions). And the security of the
entire system suffers.

What can one do? My usual technique is to type a completely random
answer -- I madly slap at my keyboard for a few seconds -- and then
forget about it. This ensures that some attacker can't bypass my
password and try to guess the answer to my secret question, but is
pretty unpleasant if I forget my password. The one time this happened
to me, I had to call the company to get my password and question
reset. (Honestly, I don't remember how I authenticated myself to the
customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to
think that if I forget my password, it should be really hard to gain
access to my account. I want it to be so hard that an attacker can't
possibly do it. I know this is a customer service issue, but it's a
security issue too. And if the password is controlling access to
something important -- like my bank account -- then the bypass
mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only
work for low-security applications. The secret question is just one
manifestation of that fact.


-=-


Bruce Schneier is a security expert and chief technology officer at
Counterpane Internet Security Inc. in Mountain View, Calif. His latest
book is Beyond Fear: Thinking Sensibly About Security in an Uncertain
World. He also publishes the monthly "Crypto-Gram" newsletter. He can
be reached at his Web site, www.schneier.com/.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] The curse of the secret question, InfoSec News <=
Previous by Date:  [ISN] Symantec flaw leaves opening for viruses, InfoSec News
Next by Date:  [ISN] Spyware Critic Knocked Offline by DDoS Attack, InfoSec News
Previous by Thread:  [ISN] Symantec flaw leaves opening for viruses, InfoSec News
Next by Thread:  [ISN] Spyware Critic Knocked Offline by DDoS Attack, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]