With so many people at home, there seem to be a large number of Facebook quizzes and challenges that ask you to share personal information with friends. Some of them are fun, but what usually follows is a meme saying to stop sharing your personal information. One of the latest – the high school photo challenge – even prompted this article from CNN.
Most of them are missing the actual problem. It’s not necessarily that you’re sharing personal information (though, depending on what that is, it can still be a problem), it’s why this information makes you vulnerable. That doesn’t get nearly enough discussion.
The problem is this kind of information is often used as answers to security questions, to help identify you in case you get locked out of an account. However, there are a number of problems with how this is done, which is why NIST and others recommend getting rid of security questions and answers entirely. This is clearly not a new recommendation, yet it’s still all too prevalent.
There are a number of reasons why this practice is flawed. First, if you allow users to set their own security questions, well, most people suck at it. Here are some that I’ve seen:
- What is my password?
- Work address
- High school mascot
- What state are you located in?
- Wife’s name
The first one won’t help you if you’ve forgotten your password, and the rest are pretty easy to find if you do some research on the person.
If you leave it up to programmers to come up with a list of predefined questions the user can choose, usually the list isn’t long enough and the questions aren’t a lot better than what you see above. There are lists you can use, but it is challenging to come up with enough questions that (a) will apply to most people using your web site, (b) the user will remember answer, (c) the answer won’t change over time, and (d) aren’t easily determined from social media and other sources.
More importantly, security answers are really no more than passwords, and typically only used for account recovery. That leads to several other problems.
If humans are involved in verifying the user, that means the answer has to be stored in a way that it can be decrypted. That is less secure than how passwords are typically stored, which is by using a one-way hashing algorithm. With that, you don’t need to know what the answer is, you just need to hash the user-provided password the same way, and compare it to what is stored.
Finally, because of their nature, they are more likely to be reused across several web sites – one of the most important things you should not do with a password. So, if one site gets hacked and your security question and answer are exposed, you are now vulnerable across multiple web sites. Good luck finding a new mom.
Adding an additional layer of the same factor (in this case a memorized secret – which both passwords and security answers are) only increases security a little bit. In this case, though, it isn’t an extra layer at all, because you’re using this secret only when you’ve forgotten the other. But, because of all the other problems with this, having security questions and answers instead makes your account less secure, because it is a much lower bar for a hacker to clear to find the street you grew up on, for example, and gain control of your account through that answer.