My friends and family are under attack in Ukraine. Donate to protect them directly or help international organizations.

Security Questions: Not So Secure

November 28th, 2012

Do you force your users to pick from a list of predefined security questions?

Who is my favorite singer? I don't have one, and even if I did, tastes change over time. What was the name of my first dog? His name was Rex. That was your guess number one anyway. In what hospital was I born? I don't know, and I would probably make a transliteration mistake because we Russians use an alphabet of 33 letters with a few sounds that you will not find in English.

These questions are also a huge security concern. Your friends may know what books you read, what music you listen to, what movies you watch… they may have even watched these movies with you. We should not worry about discussing this online just because some developers decided that only you know in which city you were born. This is not private information, so it's not really a "security" question.

Another problem with questions like my mother's maiden name is that once a site stores it in plain text, it becomes a buffet for anyone who wants to hack all my accounts. Most sites use these cliché questions, so once they hacked one, they may be able to hack them all.

Solution

  1. Do not predefine questions. Allow the user to write their own. Allow unicode so they may use a different language. If you're afraid that some beginners won't know what questions to write, give them a non-cliché example. Explain that their friends should not know the answer.
  2. Do not store answers in plain text. Salt and hash the answers before storing. Chances are that your user has the same questions on other sites. Do the Internet a favor.

Previous: Div Higher Than the Image it Contains Next: Performance & Scalability Are Different Things