Chapter 3

Human Aspects of Security

Secret Questions Blow a Hole in Security

Originally published in ComputerWeekly, April 4, 2008

It's a mystery to me why websites think “secret questions” are a good idea. We sign up for an online service, choose a hard-to-guess (and equally hard-to-remember) password, and are then presented with a “secret question” to answer.

Twenty years ago, there was just one secret question: What's your mother's maiden name? Today, there are several: What street did you grow up on? What's the name of your favorite teacher? What's your favorite color? Often, you get to choose.

The idea is to give customers a backup password. If you forget your password, then the secret question is a way to verify your identity. It's a great idea from a customer service perspective—users are less likely to forget their first pet's name than some random password—but terrible for security.

The answer to the secret question is much easier to guess than a good password, and the information is much more public. I'll bet my childhood address is in some database somewhere. And worse, everybody seems to use the same series of secret questions.

The result is that the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). The security of the entire system suffers. I'm sure the designers of the system thought the fallback system would only be used rarely, when a user forgot their password. But any good security engineer realizes that bad guys ...