Security Questions Used To Reset Passwords

I'm dealing with the issue right now and thought I'd get your input....here's some interesting points about using questions like WHAT IS YOUR FAV COLOR? to reset passwords.

The following is quoted from: hxxp://www.owasp.org/columns/mburnett/questions.html (emphasis is mine)

"Answering secret questions requires some knowledge of the user account, but secret questions break all the rules for strong passwords and have some significant weaknesses:

-An attacker can sometimes discover the information with little research;
-The answer to the question is usually a fact that will never change;
-Users reuse the same secret questions and answers across multiple Web sites;
-Someone close to the individual could know the answers to many of the questions;
-People rarely change their secret questions;
-The answers are often case-insensitive and usually contain a limited character set;
-Some questions have a limited number of answers; and
With some questions, many people will have the same common answers." >END QUOTE

In other words, it is sometimes easier to reset a password than it is to crack it.

Just because banks, government, and multitudes of other Internet sites use simple questions and answers to manage password resets, that does not make it a good practice, just a standard one. (I hear this all the time from management: "everyone else is doing it." That's when I revert to my childhood and ask them the universal
"mom" question: If everyone jumps off a cliff, would you too?)

I'm not sure what the solution is, other than software requiring users to change their question and answer just like their password. Perhaps it is using the "email reset" option that sites are using (like GSO). The problem with this solution is that many employees in some companies don't have email access.

Furthermore, should you allow folks to reset passwords over the Internet or from outside the company using a phone? This makes me queasy; it would depend on the software and the implementation.

User productivity and the cost of resetting passwords (estimated to be $10-30 per call) is what drives automated password resets.

Your comments?

What auto resets does your company use? Is it available from outside the company via Internet or phone?

Personally, I solve the Q&A problem by:

1) never answering a security question with a standard answer. Example:

Q What is your favorite color?
A Hiroshima, Japan.

Q What is your mother maiden name?
A pi=3.1469

[Why anyone would reveal their mother's m name or birthday or like data to anyone is beyond me. This question is just plain stupid. Besides, many moms never marry and change their name, so the maiden name is the surname.]

2) I also change the question/answer periodcially (if allowed).

3) Notice also that I use at least 3 different characters in the answer (lowercase, uppercase, spec characters, numbers).

Of course, this means that you now have to write down your questions and answers so you can remember them, but that's the price of security, and besides, that's what a password safe is for.

(Of course, I also write all my password info in code, so if you were to find it, it would do you no good, but that's a different discussion).

I know ping started the post by referring to a website, but this is a good and interesting post and might be appropriate under 'security'. Anyway, I'll leave that decision to our illustrious moderators..
I agree that the weakest link by far in the whole security question and password field is the users themselves. It's all very well making a system that will accept strong passwords but unless you force users to use them, they will choose weak passwords every time! A while ago we did an internal L0phtcrack of our network and reviewed the password list. It was shocking just how many of them were the names of partners or pets, registration numbers and models of cars, and even insulting comments about the boss! And once you force them to use strong passwords they respond by writing them down and negating all the benefits. Perhaps biometrics is the way of the future?

and even insulting comments about the boss

Did the boss participate in that password check-up? :lol:

Indeed passwords for the most people are nothing but an annoyance standing between them and using their system. Furthermore it is commonly conceived that password can only be humanly "guessed" by rational means, and not automatically by dictionary/brute force attacks that can check millions of compinations in reasonable time.

The optimal authentication way, from maximum security perspective, would be to combine more than one ways of authentication (ie. hardware, password, fingerprint, voice), but that would also make the procedure user unfriendly. In addition, right now technologies like voice and retina recognition either have a high fault rate (false positives/negatives) or are too expensive to implement.

I believe the best isolated authentication way currently, is through the use of a PGP key stored in a hardware medium such as a smart card, that will provide protection against replication. And the technology isn't even expensive.

PS. Topic moved to Security, as Bishop kindly indicated

I completly agree wiht you people from all the cases of password theft most of the people have password based on something very near them or anything that they come in touch daily. It is good to have the websites forceing the password minimum limit to 8 char.

Although here is what i have to say

the question / answer method is best when the answer is given and the person types the question...which makes it a passphrase rather than a password.

I think it's unreasonable to expect people to change these...there is a point that users just can't handle anymore and this would be beyond that point.

have seen some instances where a SMS text message is used. You log on to say your internet banking, then a text with a 4 digit pin is sent to your phone, you type in the pin and then you have access.

This sort of thing can be used depending on the level of access required. For example, to log on to internet banking, user/pass is fine. To pay a bill or tranfer money higher than 200 dollars, the text is required.

You could use the same thinking inside of companies, depending on the data/system being accessed. General use = user/pass,
privileged use = user/pass/something extra.

Cheers