The secondary questions security gap

Angela Sasse at CPDP2017

Angela Sasse at CPDP2017

The BBC reports that a common pastime on Facebook, comparing users’ top ten concerts, may present a security risk. The reason lies in the secondary security questions many websites use as fallback measures to identify users who have forgotten their passwords. Among the standard questions websites prompt users to provide answers for are the first gig you attended, your mother’s maiden name, your favourite movie, or the name of your first pet,

Quoted in the story, RISCS director and UCL professor Angela Sasse notes that it’s fairer to blame the sites for security breaches than individuals, arguing that using information that may be publicly available violates good security principles. In the past, similar stories have surfaced in the past relating to other social media trends, such as posting your “porn name” – which is typically made up of the name of your first pet coupled with the name of the street you grew up on.

Sasse told the BBC, “The risk is not so much publishing these lists, rather that somebody thinks it is a good idea to use questions like that as security credentials.”

An ancillary problem is that many sites ask the same questions, and in case of a data breach those answers can be used to gain access to other accounts the user holds.

At the National Cyber Security Centre blog, Kate R expands on how site owners and developers might manage these security questions so they leave less of a gap in security. First, she says, try to find alternatives. If that’s not possible, avoid questions with easily guessable answers that attackers can exploit. Dynamic questions, which depend on answers generated from data sites already hold may be a more secure choice than static questions if the pool of possible answers is large enough. Consider whether users can remember the answers they give, whether they are likely to use the same answers elsewhere, and how much effort the system will require of users.

Steven J. Murdoch

Steven J. Murdoch

On the Bentham’s Gaze blog, UCL Royal Society University Research Fellow Steven J. Murdoch expands on the theme that companies should stop passing the buck to consumers. In a discussion of standard security advice that’s unfit for the real world, he provides some useful advice. For example, he says password re-use across sites is a bigger problem than choosing passwords that are simple enough to remember; he recommends remembering unique passwords for the few most important sites, such as banking and email, and using a password manager for the rest. Similarly, although security experts typically tell users not to write down or share their passwords, this is poor advice within the context of a family, where doing so can be important. Murdoch goes on to discuss the difficulties of giving good security advice when individuals have so little control over the quality of the security measures imposed on them by others such as banks, lenders, mobile phone handset manufacturers, and so on.

About Wendy M. Grossman

Freelance writer specializing in computers, freedom, and privacy. For RISCS, I write blog posts and meeting and talk summaries