security questions

John Ioannidis ji at tla.org
Thu Aug 7 19:14:18 EDT 2008 

piers.bowness at rsa.com wrote:
> John Ioannidis wrote:
> | Does anyone know how this "security questions" disease started, and
> why 
> | it is spreading the way it is?  If your company does this, can you
> find 
> | the people responsible and ask them what they were thinking?
> 
> The answer is "Help Desk Call Avoidance"; allow the end-user to fix
> their own account without having to get someone on the phone. This is
> simply an available mechanism in the spectrum between easy-to-use and
> rock-solid security.

As the discussion so far indicates, and as published papers show, the
security of these "security questions" is lower than the security of
the password.
> 
> | My theory is that no actual security people have ever been involved,
> and 
> | that it's just another one of those stupid design practices that are 
> | perpetuated because "nobody has ever complained" or "that's what 
> | everybody is doing".
> 
> Your theory is incorrect. There is considerable analysis on what

Can you reference it please?  There has been some analysis on the 
entropy of passphrases as a password replacement, but it is not relevant.

> constitute good security questions based on the anticipated entropy of
> the responses. This is why, for example, no good security question has a
> yes/no answer (i.e., 1-bit). Aren't security questions just an
> automation of what happens once you get a customer service
> representative on the phone? In some regards they may be more secure as
> they're less subject to social manipulation (i.e., if I mention a few
> possible answers to a customer support person, I can probably get them
> to confirm an answer for me).

The difference is that when you are interfacing with a human, you have 
to go through a low-speed interface, namely, voice. In that respect,
a security question, coupled with a challenge about recent transactions,
makes for adequate security.  The on-line version of the security 
question is vulnerable to automated dictionary attacks.

/ji

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list