[130144] in cryptography@c2.net mail archive
Re: security questions
daemon@ATHENA.MIT.EDU (John Ioannidis)
Fri Aug 8 10:38:30 2008
Date: Thu, 07 Aug 2008 19:14:18 -0400
From: John Ioannidis <ji@tla.org>
To: cryptography@metzdowd.com
In-Reply-To: <8051C0C0C5D53544833F107546C5323302B7DD30@CORPUSMX50C.corp.emc.com>
piers.bowness@rsa.com wrote:
> John Ioannidis wrote:
> | Does anyone know how this "security questions" disease started, and
> why
> | it is spreading the way it is? If your company does this, can you
> find
> | the people responsible and ask them what they were thinking?
>
> The answer is "Help Desk Call Avoidance"; allow the end-user to fix
> their own account without having to get someone on the phone. This is
> simply an available mechanism in the spectrum between easy-to-use and
> rock-solid security.
As the discussion so far indicates, and as published papers show, the
security of these "security questions" is lower than the security of
the password.
>
> | My theory is that no actual security people have ever been involved,
> and
> | that it's just another one of those stupid design practices that are
> | perpetuated because "nobody has ever complained" or "that's what
> | everybody is doing".
>
> Your theory is incorrect. There is considerable analysis on what
Can you reference it please? There has been some analysis on the
entropy of passphrases as a password replacement, but it is not relevant.
> constitute good security questions based on the anticipated entropy of
> the responses. This is why, for example, no good security question has a
> yes/no answer (i.e., 1-bit). Aren't security questions just an
> automation of what happens once you get a customer service
> representative on the phone? In some regards they may be more secure as
> they're less subject to social manipulation (i.e., if I mention a few
> possible answers to a customer support person, I can probably get them
> to confirm an answer for me).
The difference is that when you are interfacing with a human, you have
to go through a low-speed interface, namely, voice. In that respect,
a security question, coupled with a challenge about recent transactions,
makes for adequate security. The on-line version of the security
question is vulnerable to automated dictionary attacks.
/ji
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
