The recent compromise of Alaska governor Palin’s email account was reportedly accomplished through the use of a password reset service. The attacker masqueraded as Governor Palin by answering the associated “security” questions which were discovered through searches of publicly available information. This situation illustrates a significant weakness in password reset services.
The effectiveness of authentication factors, such as passwords and pass-phrases, are strongly dependent on their secrecy. Their security strength can be measured by the ability to withstand a brute force attack or resist an attacker’s attempt to correctly guess it. Password reset mechanisms commonly entice users to enter information that is not secret. This reduces the effectiveness of a strong password and increases risk to the user.
Password reset mechanisms rely on a series of questions to authenticate the user. If someone else can discover the answers to the questions then the account is subject to a compromise. Most reset mechanisms ask inappropriate questions such as:
- Where were you born?
- What is your preferred color?
- What was your first car?
- Who is your favorite author?
- When did you graduate high school?
These are inappropriate because these questions at best can be answered by a significant other and at worst are publicly discoverable. Although the answers are conveniently known to the user, they can all be discovered by others. A dependency created in an authentication scheme based on other weak secrets increases overall risk to the user.
Another potential problem with password reset services is the storage of the answers. If they are not encrypted or hashed then the information might be subject to other attacks. Therefore, access control must be an integral part of the mechanism.
Authentication factors should only be reproducible by the intended subject. Security professionals often extol the importance of strong passwords. We should also encourage the use of secrets supporting password reset services. Password reset service questions should be answered with easily remembered irrelevant catch phrases such as:
- Where were you born? -- Over there which is not here
- What is your preferred color? -- An uncommon chromatic hue
- What was your first car? -- A car unlike any other
- Who is your favorite author? -- Someone very famous
- When did you graduate high school? -- I did graduate high school
Perhaps the more fun you have with answering these questions the better your “secret” will be. In short, protect a secret with another secret when access controls are less than adequate. Nothing less will do.