Ask better password questions

I just love how many Web sites take my complex, hard-to-guess password and make it as easy to crack as guessing my favorite color or the city of my birth. It seems nearly every Web site comes with user-accessible, self-service, password reset questions, and nearly all of those same sites make resetting or obtaining my password magnitudes easier than actually knowing my correct password. Thanks.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

I can understand why Web sites want a user-based, self-service, password reset feature. Users who forget or mistype their passwords comprise one of the most frequent support requests. I've read many studies that place the cost of each help desk password reset assistance call at $60 to $90. I don't mind the self-service part; it's the incredible weakening of security that bothers me.

Most Web sites put forth a handful or two of weak questions that you must use. The Web site administrators think that the questions are personal enough that only the person who answered them would know the correct answers. The problem is that the questions are often information that is known by lots of people, or they contain information that can be found by searching on the Internet.

For example, one common question is, "Your birthplace city?" I mean, how many people know that besides the account holder? Well, how about that person's close friends, family members, spouse, old boyfriend or girlfriend, and anyone who has ever viewed any credit card application you've ever filled out? And let's not mention all the databases you can search online to find out the birthplace of any person.

How about being asked to fill in your mother's maiden name? Again, you can point to the same suspects as in the previous question, but now add genealogy databases to the mix. Another favorite weak question is, "Your favorite pet's name?" First off, dogs are the most popular pets, and you'd be surprised about how common most dogs' names are. Mark Burnett's book on passwords, "Perfect Passwords," has a list of the most common dog names. I was surprised to see my own dog's name, Abby, on the list. Mark's book also lists the most common colors, cities (that is, birthplace cities), and hobbies. 

If a Web site under your control has one of these password reset features that use self-service, weak security questions, make sure the questions are truly capable of being known by only one person. Assume that the person's closest loved one ends up being their worst enemy and is motivated to break into their account.

If you want to be assured of the strength of your question, or at least give the user a fighting chance of staying secure, let them choose and input the security questions. The self-service password feature page should educate the user in how to create truly secure security questions. Suggest some good examples.

If your Web site's password reset self-service feature doesn't allow custom questions, or can't be recoded and can use only precanned, weak questions, try to require multiple successful answers to multiple questions. The Web sites I see using this type of query often ask the user to select 5 to 10 questions to which they can input the answers. And when using the feature, the user must successfully answer 2 to 4 of the questions. This makes it a little harder for an unauthorized person to break into the account.

Of course, any password resets or changes should be sent to the e-mail address on record asking for confirmation before being committed. If an attacker has access to your e-mail account and knows the answers to multiple or custom security questions, your issues go well beyond the things a columnist can help you with.