The recent compromise of Alaska governor Palin’s email account was reportedly accomplished through the use of a password reset service. The attacker masqueraded as Governor Palin by answering the associated “security” questions which were discovered through searches of publicly available information. This situation illustrates a significant weakness in password reset services.
The effectiveness of authentication factors, such as passwords and pass-phrases, are strongly dependent on their secrecy. Their security strength can be measured by the ability to withstand a brute force attack or resist an attacker’s attempt to correctly guess it. Password reset mechanisms commonly entice users to enter information that is not secret. This reduces the effectiveness of a strong password and increases risk to the user.
Password reset mechanisms rely on a series of questions to authenticate the user. If someone else can discover the answers to the questions then the account is subject to a compromise. Most reset mechanisms ask inappropriate questions such as:
- Where were you born?
- What is your preferred color?
- What was your first car?
- Who is your favorite author?
- When did you graduate high school?
These are inappropriate because these questions at best can be answered by a significant other and at worst are publicly discoverable. Although the answers are conveniently known to the user, they can all be discovered by others. A dependency created in an authentication scheme based on other weak secrets increases overall risk to the user.
Another potential problem with password reset services is the storage of the answers. If they are not encrypted or hashed then the information might be subject to other attacks. Therefore, access control must be an integral part of the mechanism.
Authentication factors should only be reproducible by the intended subject. Security professionals often extol the importance of strong passwords. We should also encourage the use of secrets supporting password reset services. Password reset service questions should be answered with easily remembered irrelevant catch phrases such as:
- Where were you born? -- Over there which is not here
- What is your preferred color? -- An uncommon chromatic hue
- What was your first car? -- A car unlike any other
- Who is your favorite author? -- Someone very famous
- When did you graduate high school? -- I did graduate high school
Perhaps the more fun you have with answering these questions the better your “secret” will be. In short, protect a secret with another secret when access controls are less than adequate. Nothing less will do.
Hi Sean,
Creative answers to authentication questions is excellent advice. Thanks!
Yours sincerely, Tim
Posted by: Tim Bass | 24 September 2008 at 01:35 AM
The organization must buy off on the reason for 'hard questions' and be prepared to educate the end user on why it has chosen to do so. Otherwise the value is lost and adoption sinks.
Posted by: TheCO | 24 September 2008 at 10:08 AM
I would take it a step further. I would combine with numbers and special characters like a password.
Another lesson from the Sarah Palin Yahoo hack is that the laws covering privacy needs to be modernized. If the same hacker stole her postal mail rather than her e-mail, he or she would get 5 years in prison rather than 2 years. However, a first time offender would probably see no prison time. On top of it, the web site which published the web site has not technically violated any laws. There should be a law against such publication since it aiding and abetting the crime. Suppose it was her financial information? She could have been subject to a huge finanical losses (I don't care what her politics is, she has a right to privacy.) in addition, this publication could have lead to physical security problems by tipping off her future activities.
Posted by: John Dittmer | 24 September 2008 at 10:30 AM