Online services ask us to pick hard-to-guess passwords, and in the same breath ask us to answer “secret questions” just in case we forget our passwords. Some of these questions are “What was your first pet’s name?” or “What street did you grow up on?”
The attack is obvious: why bother trying to guess someone’s password if you can focus on the easier task of guessing that person’s first pet’s name? As Brainard et al. [1] point out on the same issue, the question “What was the make of your first car?” is weak because “General Motors, for example, had about a 43% market share in the United States in 1983.” In short, secret questions have lower entropy (they are less random) than passwords, are easier to guess, and are thus the weakest link.
Now, this topic is not new. Bruce Schneier wrote about it a few years ago [2]. Schneier says that he “type[s] a completely random answer,” but consider this anecdote: a colleague of mine uses the same technique. He called up customer service once, who then asked him, “what’s the answer to your security question?” He said, “some random numbers.” The response was “okay.” So picking random numbers might be less secure than picking a realistic answer? :-)
Anyway, what surprises me is that secret questions are still prevalent today. Why aren’t more people up in arms about this issue? There needs to be an uprising. Go!
References
[1] J. Brainard, A. Juels, R. Rivest, M. Szydlo, and M. Yung. “Fourth Factor Authentication: Somebody You Know,” ACM CCS ’06.
[2] Bruce Schneier, “The curse of the secret question,” Computerworld, February 09, 2005
Posted by Apu Kapadia 
