What is your name? What is your quest?
Tuesday, September 21, 2010 at 08:28PM I was recently helping an acquaintance re-enter their email service after she'd forgotten her password. Being that I'm one of the more computer-literate people in her circle, she figured I was the logical choice to call. She even suggested that, if she could not recreate her password, I could break into the service for her so she could retrieve her mail. I explained, if it was that easy, a whole lot of people a whole lot smarter than me would be doing it all the time.
"Did you click on forgotten password?" I asked.
"Oh, no, I didn't. What happens if I do that?"
"It will ask you your security questions. You must have set those up when you created the account."
In fact, she couldn't remember, but she thought that maybe somebody else had helped her set it up.
I had her click on "Forgot my password," and it indeed asked her some basics.
1) First pet's name
2) City of birth
3) Mother's maiden name
Sure enough, this got us in. And this is one of the things I cover in my book. The most basic requirement for a security question should be something that is easy for you to remember, but hard for somebody else to guess. It's that simple. Now, that's if you are serious about your own personal security. But now put on your admin's hat. Most people are freaking lazy. Even in corporate environments, where their email and other types of folders contain sensitive material, they don't like to put much effort into these questions. And that's when you get situations like this:
1) First pet's name? fido
2) City of birth? fido
3) Mother's maiden name? fido
First off, you should NEVER let people create their own questions. You sould create a body of questions and let them choose from those. And those questions should be a little more challenging. Next, you should make sure the answers aren't ridiculous. Now, you cannot seriously validate the answers for an individual. One of your users might actually have been born in the town of Fido.
But what you CAN do, with the right technology, is ensure that those answers aren't too, too easy to decipher.
This is one of the things I've liked about Oracle Adaptive Access Manager (OAAM), a great product with a crappy name. It can enforce logic on the security questions' answers. For example,
- the answers can't all be the same
- the answers can't contain parts of the questions (my fave color is "color")
- the answers can't be part of the user's name
Sarah Palin's email got hacked during the 2008 campaign season because she (foolishly) made her security questions things that were easily Googled. She's a well-known public figure, whose personal info is all over the Net, and this is what she used for her security info. I find this completely mind-boggling. Or maybe not.
Reader Comments (2)
Nice explanation and thought but what you point out is new OAAM had been immplemented long back in Sun, sadly the Sun went down!
Thanks as always.