net.wars: Which lie did I tell?

by Wendy M Grossman | posted on 06 December 2009

"And what's your mother's maiden name?"
A lot of attention has been paid over the years to the quality of passwords: how many letters, whether there's a sufficient mix of numbers and "special characters", whether they're obviously and easily guessable by anyone who knows you (pet's name, spouse's name, birthday, etc.) or whether you've reset them sufficiently recently. But, as someone noted this week on UKCrypto, hardly anyone pays attention to the quality of the answers.

Wendy M Grossman

Answers to the "password hint" questions which sites ask (so they can identify you when you eventually forget your password) are important! By analogy, it's as though we spent all our time beefing up the weight, impenetrability, and lock quality on our front doors while leaving the back of the house accessible via two or three poorly fitted screen doors.

On most sites it probably doesn't matter much. But the question came up after the BBC broadcast an interview with the journalist Angela Epstein, the loopily eager first registrant for the ID card, in which she apparently mentioned having been asked to provide the answers to five rather ordinary security questions "like what is your favourite food". Epstein's column gives more detail: "name of first pet, favourite song and best subject at school".

Even Epstein calls this list "slightly bonkers". This, the UKCrypto poster asked, is going to protect us from terrorists?

Dave Birch had some logic to contribute: "Why are we spending billions on a biometric database and taking fingerprints, if they're going to use the questions instead? It doesn't make any sense." It doesn't: she gave a photograph and two fingerprints.

But let's pretend it does. The UKCrypto discussion headed into technicalities: has anyone studied challenge questions?

It turns out someone has: Mike Just, described to me as "the world expert on challenge questions". Just, who's delivered two papers on the subject this year, at the Trust (PDF) and SOUPS (PDF) conferences, has studied both the usability and the security of challenge questions. There are problems from both sides.

First of all, people are more complicated and less standardised than those setting these questions seem to think:

  • some never had pets;
  • some have never owned cars;
  • some can't remember whether they wrote "NYC", "New York", "New York City", or "Manhattan".
  • And people and their tastes change. This year's favourite food might be sushi; last year's was chocolate chip cookies. Are you sure you remember accurately what you answered? With all the right capitalisation and everything? Government services are supposedly thinking long-term. You can always start another Amazon account; but ten years from now, when you've lost your ID card, will these answers even be valid?

    This sort of thing is reminiscent of what biometrics expert James Wayman has often said about designing biometric systems to cope with the infinite variety of human life: "People never have what you expect them to have where you expect them to have it." (Note that Epstein nearly failed the ID card registration because of a burn on her finger.)

    Plus, people forget. Even stuff you'd think they'd remember and even people who, like the students he tested, are young.

    From the security standpoint, there are even more concerns. Many details about even the most obscure person's life are now public knowledge. What if you went to the same school for 14 years? And what if that fact is thoroughly documented online because you joined its Facebook group? Complete with photographs of your favourite pet?

    A lot depends on your threat model: your parents? hackers with scripted dictionary attacks? friends and family? marketers? snooping government officials?

    Just accordingly came up with three types of security attacks for the answers to such questions: blind guess, focused guess, and observation guess. Apply these to the often-used "mother's maiden name": the surname might be two letters long; it is probably one of the only 150,000 unique surnames appearing more than 100 times in the US census; it may be eminently guessable by anyone who knows you – or about you.

    In the Facebook era, even without a Wikipedia entry or a history of Usenet postings many people's personal details are scattered all over the online landscape. And, as Just also points out, the answers to challenge questions are themselves a source of new data for the questioning companies to mine.

    My experience from The Skeptic suggests that over the long term trying to protect your personal details by not disclosing them isn't going to work very well.

    People do not remember what they tell psychics over the course of 15 minutes or an hour. They have even less idea what they've told their friends or, via the Internet, millions of strangers over a period of decades - or how their disparate nuggets of information might match together.

    It requires effort to lie – even by omission – and even more effort to sustain a lie over time. It's logically easier to construct a relatively small number of lies. Therefore, it seems to me that it's a simpler job to construct lies for the few occasions when you need the security... and only protect that small group of lies. The trouble then is documentation.

    Even so, says Birch, "In any circumstance, those questions are not really security. You should probably be prosecuted for calling them 'security'."

    Technorati tags:   
    Oh, go on: Lie to me - You can discuss this article on our discussion board.

    Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).