tags:

views:

499

answers:

13
+5  Q: 

Is storing the answer to a secret question any more secure than storing a password?

Reading what is currently the top answer to a recent question on how/whether to send users their passwords, I was intrigued that the most popular answer said the following...

  1. storing passwords in such a way that they are retrievable is insecure
  2. using a reset feature with the help of a secret question is a valid alternative

(These two points seem contradictory.)

I use hashed passwords for security, but I've always assumed that the password question and answer scheme are even less secure because they actually give a hint as to what the answer may be. (I often use .NET's default membership provider.)

Is there something I'm missing because I've not bothered to use the question & answer? Are secret question and answers, without incorporating any sort of timed email reset function, any more secure than storing a password in the db?

Follow Up: Microsoft's membership provider uses the same format for storing answers to secret questions as they do for the password. If you specify hashed for the password, then it will store the secret answer the same way.

From the posts below, it appears that, if used, a secret question/answer mechanism should only be used in addition to an email reset scheme, rather than instead of, and should be hashed as well. This, of course, may present problems for people like me who put long random strings in the secret answer section.

+5  A: 

Secret questions and answers are only as secure as the user makes them to be. If someone knows anything about you, they can answer an easy question and reset your password. I'm guessing answers are also hashed, so that the answer is not directly stored. But again, knowing the answer to the question is all it takes.

A hashed password stored is about as secure as most applications get, and that's fine because it's one way, and thus the plain text is never stored nor can it be retrieved.

AlbertoPL  2009-07-14 18:32:59
+7  A: 

The question and answer idiom has been exploited in many published "email hacks" (example)- I'd certainly avoid using it.

Paul Dixon  2009-07-14 18:33:28
There's nothing secure about offering a second "password" that never changes and is presented with a hint.
Steven Sudit  2009-07-14 18:49:22
+1  A: 

It depends also how related the secret question / answer are.

Case in point, when I'm presented with the option to put in a question I put in something like:

Question: Groovy Broccoli?

Answer: International Space Station 431

These are not actual question/answers I use, but I can assure you that the questions I use provide no clue whatsoever as to the answer.

scunliffe  2009-07-14 18:39:05
Agreed, but most "secret questions" are less secure than the password in the first place - it's something family members will know, and that others may be able to find out on the internet.Somehow you have to strike a balance between what your users can remember without resorting to writing things down (defeats the whole purpose) and what's so obvious it's not a secret anyway.
Dave  2009-07-14 18:44:26
Why bother then? You probably aren't the type to forget a password if you can remember the obscure answer to your unrelated question. I usually fill these fields with a long string of random characters when I have to (with the intent of never forgetting my password and thus never needing to actually answer the question).
Dave76  2009-07-14 18:47:04
I guess it is one of those hindsight is 20/20 things. If I only needed to remember 3 passwords, I would never forget... but I have 20-30 passwords to remember... so the "least" used ones get forgotten. The "web" has made me need more and more of them... As a developer I hash the passwords thus can't "retrieve" them for a user, but I do provide an option that a password reset requires a secret question/answer (both free form). What I do find handy in general, is to provide a strength indicator where the user creates the password, so they can see how weak their password is (hopefully)
scunliffe  2009-07-14 19:53:20
+6  A: 

Passwords are answers to a 'secret' question. That question is, "what is your password?".

As Scunliffe points out, adding an additional field of user input may or may not increase the security of the password - that depends on the user's practices.

DDaviesBrackett  2009-07-14 18:42:47
The fact is that also the questions can be created by the user. So the answer is not as predictable as a simple password. Double factor validation is a very important way to increase security.
backslash17  2009-07-14 19:40:08
+3  A: 

I would argue that a secret question/ answer combination is just another form of "password". I would then go on to suggest that a secret answer is probably weaker than a regular password, as there is rarely any suggestion that it should be anything other than regular words that are susceptible to dictionary attacks. In most cases, the dictionary space of the answer is significantly shortened by the context of the question (scunliffe's exception noted, however).

Jason Musgrove  2009-07-14 18:46:00
+1  A: 

If you can get into the system by using the secret question, then that system is just as secure as the method with which the secret question is stored.

However, if a user uses their same password on other systems, then at least making sure the password is hashed keeps that user's password from being outted on other systems, like their online bank.

NickAtuShip  2009-07-14 18:47:08
+2  A: 

One site I've been on (bank or health insurance) required me to answer six secret questions. For a password reset, they'd choose three of those at random and require me to answer them.

In addition, I presume they'd only store the hashed answers, not the plain text version. As DDaviesBrackett has said, the password is a secret question.

John Saunders  2009-07-14 18:51:18
It's even better if one of the secrets questions is also created by the user.
backslash17  2009-07-14 19:36:22
+1  A: 

The crux of the security of the secret question usually lies in an alternate trusted communication medium. If the user answers the 'secret question' correctly, the server should provide a random password via the trusted channel (e.g. email address).

Then, using that random password (which is as safe as the user's email), he can use it to log in and change the password to something else.

Jeremy Powell  2009-07-14 18:53:55
+1  A: 

That depends on the security needs you require... And once they have already answer that part.

The only thing i have to add, its that you use MD5 encryption for storing passwords, and other sensitive data. Be aware that on the present time its next to impossible to discover the "phrase" encrypted by MD5. You can find loads of articles talking about it. And isn't difficult to implement in your projects.

Regards. Fábio Antunes

Fábio Antunes  2009-07-14 18:57:07
+2  A: 

I feel like part of your question is being overlooked. Cause like you I see how we are somehow overlooking the common sense that if you should not store their password in plain text yet you are willing to store their answer to their 'secret question' in plain text and then allow them reset their password via a link sent through email, than why even have a secret question and just email them their the reset link. Of course you could just as easily encrypt the answer to the question.

It seems that many people, myself included, write their question/answer in some encrypted where the question does not provide a hint, but I'm always asking myself when I create these - "if I don't remember the password that I am going to be using every time I come to this site, how will I ever remember my answer that I made up 2 years ago and have never used."

My Opinion: The whole idea of the 'secret question' is just a sense of false security, as if adding the addition of the secret question is going to make the process of hacking into my account so much harder that the one extra step will frustrate the hacker and cause him to give up.

It seems more likely that it will just provide a clue to a friend or family member you wants to screw with me.

Patcouch22  2009-07-14 18:57:54
I agree. I was just surprised to see the top answer to the question I linked to show security question/answer as an alternative to an email password reset. I assume it's meant to be applied during an email reset, not as an alternative. And... it's not clear from Microsoft, how these security answers are stored.
Traples  2009-07-14 19:29:54
I agree as also.Besides, rest password and send a new temporary password for the email is pretty acceptable.
Fábio Antunes  2009-07-14 20:20:11
+3  A: 

i would use a secret question to determine if I should or shouldn't send them a newly generated password via an email. Never to let them set a new one. At the end of the day though, it all comes down to make it as secure as it needs to be. If you're an online bank or a networking site makes a huge difference.

Robin Day  2009-07-14 19:00:50
+5  A: 

I allow myself to be guided by OWASP here:

They are unacceptable for the following reasons:

  • Collection of information about people without their explicit consent (such as "Mother's maiden name") is illegal in most privacy regimes. Such collection is subject to privacy laws, review and correction by the subject, and so on.

  • IT Security Policies and standards such as ISO 27000 prohibit the clear text storage of passwords, but almost all Q&A schemes store both the question and answer in the clear

  • The information in the answers is public for a goodly portion of the users of the Internet, and thus is found using public sources

VoiceOfUnreason  2009-07-14 19:25:24
I didn't knew about "ISO 27000 prohibit the clear text storage of passwords".Always learning.. Thks.Nice link for guideline as well.
Fábio Antunes  2009-07-14 20:21:50
Another commonly-held security misconception is foiled. OWASP should be required reading for anyone developing a publicly-available information system.
Robert Harvey  2009-07-16 15:26:25
+1  A: 

"Greetings, Professor Falken." or why it is not a good idea to base any authentication scheme on non-secret, non-random-"ish" responses.

And, if you try to be a little tricky and choose random-"ish" responses to the notorious maiden-name-questions and are able to remember them AFTER you have forgotten your password (and probably have changed it a few times since setting the "secret question".

Nay, the whole secret-questions scheme is botched from the start. For a start, the question is not secret but revealed to anybody claiming to have mislaid your password.

Don Johe  2009-07-15 12:08:15

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security