The Weakest Link: “Forgot Your Password?”

Assume for a moment that I wanted to access some confidential files that belonged to you. You, having at least an ounce of sense (or an IT department that makes these decisions for you) have set a Windows password on your computer. How should I aim to access those files?

Well, there are a lot of ways. Here are a few:

  1. Install a keylogger on your system, wait a little while, then come back and search through the output looking for things that look like passwords, then try them. (Probably several hours, unless I’m really good at it.)
  2. Try to guess your password based on things I know about you, or try common passwords like ‘password1′ or ‘123456’, or look around your desk for sticky notes containing your password. (A few minutes, assuming it works—which is a comfortably low chance if you use a sensible password, but unfortunately a lot of people don’t.)
  3. Use software that will search for common passwords out of a dictionary or brute-force the password. (Probably days.)
  4. Boot up the system using a boot disc to bypass the Windows password, locate the files, and copy them to a flash drive. (About 5 minutes.)

Which do you think I’m going to pick? Obviously, the sensible choice is the one that’s the easiest, the lowest risk, and takes the least amount of time, which is number 4. If you look at these options, you’ll notice there’s something different about number 4: I have not broken the installed security system (by finding the password despite not being a legitimate user), I have bypassed it altogether. Instead of trying to find the password to the system, I’ve simply found a way to access those files that didn’t require me to know the password at all.

On web services, the bypass-the-password option comes in the form of that little link that reads “Forgot your password?” While this function is a godsend if you really have forgotten your password, without some care it makes it much easier for someone to access your account without your permission. This scenario is not the most likely way for your account to be compromised—nowadays it’s more likely that a poorly secured password database containing your information will be stolen and published on the Web. But if someone singles you out as a particular target for whatever reason (and it’s not as impossible as it seems), password resets are likely to be something they try. Fortunately, it’s not all that difficult to make password resets significantly more secure.

How Password Resets Work
Consider for a moment what happens when you use a password reset function. Usually the service does one or both of these things:

  • It sends a confirmation link to your email address, which will allow you to set a new password.
  • It asks you one or more security questions to “prove” your identity, set up when you opened the account, supposedly things that only you would know, then allows you to change the password.

I’ll look at each of these in turn.

Email Link Reset
Services that simply send a link to your email address are the simplest case. As a would-be hacker, all I have to do is gain access to your email account, and I can easily reset the password on another site that I don’t know the password to. This may not seem like a big deal—after all, I still need to access your email account—but most likely you have twenty or thirty different accounts that will all happily send password reset links to the same email address in the same day. So if I can gain access to your email account through whatever means, even if you have the best unique passwords set up on every other account, I can still access every one of them.

This is pretty simple to fix, though:

  • Never, ever reuse the password you use on your main email account for any reason. Even if you use the same password for everything else (which I don’t recommend, but if you must do it, you must), use a unique one for your email.
  • Make that password a strong one: at least 20 characters, using letters, numbers, and symbols, and nothing easily guessable, such as your phone number, spouse’s or pet’s name, zip code, birthday, and so on. (Actually, guessable things are not in themselves bad—but they need to be combined with something completely unrelated to be secure. Your birthday is a bad password; your birthday combined with a random dictionary word and the last four digits of your phone number when you were six is a good password.)
  • Set up two-factor authentication on your email account if you can. It’s extremely effective and surprisingly unobtrusive.
  • Make certain that you’ve always logged out of your email account when you’re done using it on a public computer. Not only does it help keep you secure on other websites, at least one court has ruled that it’s legal to read someone else’s email if they neglect to log out. If you ever do forget to log out, many services have an option to log out other sessions (in Gmail, if you click the “Details” link in the lower-right-hand corner of the page, there’s a button labeled “Sign out all other sessions”).
  • If you have an “alternate” email address set in your email account’s settings (for recovering the password to your email account), double-check that that account is also secured in the same way. From personal experience, I can attest that this is a “D’oh!” moment if it happens to you.

Some people recommend setting up a different email account reserved for signing up for web services (to keep password reset emails more secure). Personally, I’m too lazy to check my email at two different places (for obvious reasons, you shouldn’t have that mail forwarded to your other email address), and I’m confident enough in the security of my main email account that I’m not worried.

Security Questions
Some people think that security questions are an effective and useful security measure. They’re dead wrong.

Actually, security questions have become popular partly because of a misunderstanding of the theory behind two-factor authentication. In security theory, there are three ways to authenticate yourself: something you know (a password or something more unique like a series of pictures where you must choose the right one), something you have (a token that displays different numbers, a smart card, an RFID tag, or an encryption key on a flash drive), and something you are (a biometric reading such as a fingerprint scan, voice print,
or face recognition).

Two-factor authentication consists of using two different types of authentication (in most implementations, a password—something you know—and a token—something you have). However, people heard that two-factor authentication was good, decided that security questions were “two-factor authentication” because you had to authenticate two different ways, and “Wish-It-Was Two-Factor” authentication was born.

It is often said that “good” security questions have four characteristics:

  1. The answer cannot easily be guessed or researched.
  2. The answer doesn’t change over time.
  3. The answer is memorable.
  4. The answer is definitive/simple.

Looking at how tough those requirements (plus a fifth one, that the question needs to apply to most of your users) are, it’s no wonder that nearly all of the questions you see are bad!

Let’s look at where some common questions go wrong:

  • “What is your favorite movie?” This fails on count 2. You probably won’t need to reset your password for months if not years. By that time you’ve almost certainly forgotten what your favorite movie was at the time, if you even had a well-defined one to begin with. Even if you could somehow remember what your favorite movie was on any day during your life, you’d still have to remember when you created your account for that knowledge to be useful.
  • “What city were you born in?” This fails on count 1—it can be found easily in public records. Even if I couldn’t find it with some good research, it’s quite likely you’d give me this information if I asked you, as it doesn’t feel very sensitive.
  • “What is your date of birth?” This isn’t usually presented as a security question, but it is often used for verification. The majority of people have their birthday listed on Facebook, for one, and even if not, once again, it’s in public records. Alternatively, I could call you up and pretend to be conducting a survey or something similar and ask you for your birthday, and you’d probably give it to me.
  • “What is your favorite color?” This fails on count 1 in two different ways. First of all, there are only so many colors that people will describe as their favorite. If you simply type in “blue,” you’ll get it right a very good percentage of the time (according to one survey, a whopping 36 percent of the time averaged between genders). How many people are going to describe their favorite color as something that’s actually somewhat difficult to guess like “light chartreuse” or “burnt orange”? And when was the last time you asked someone what their favorite color was and they told you, “No, that’s private information”? If you can’t find it anywhere, you can just ask.

The Solutions

So what can you do about bad security questions? There are two options I like:

  1. Make up a fake identity of security questions, store them in a file or on a sheet of paper, and read off it anytime you need a security question. You can store it in your email account if you need to be able to access it anywhere (you made sure your email account was secure, right?). If you want to make it even more secure, you can make up answers that are completely unrelated to the question (e.g., “What is your favorite pet’s name?” / “Wal-Mart”). This takes a little while to set up, but you can feel confident that you’ll never accidentally reveal the answer to a question, and you have at least some security in the event that someone does discover the answer to one of the questions, as you don’t have to use the same one on every website. Here’s the list of 13 questions that I use (with my answers removed, of course).
  2. If that sounds too complicated for you (and for most people, it probably is), simply make up a password and enter it every time you are asked for a security question. It doesn’t matter one bit what the question is. (If you want to get a little bit more secure, you can add something to the password based on the name of the site or use two or three passwords based on the question. This password will never change (unless it’s compromised and you need to change it, of course), is always memorable and applicable to you, and is not researchable, since it’s not an answer, it’s a password.
Other options that are not as good as these but are at least better than nothing:
  • Replace letters with numbers or symbols in your answer as if it was a password you were attempting to obscure. This can usually be cracked easily by a password dictionary, but hopefully nobody will be trying a password dictionary on your security question, since it’s not supposed to be a password.
  • Even if you must use the actual question and answer with an actual answer, if you’re given the option to choose your own question, use it. But make it something good—it should pass those four guidelines at the beginning of the section for you.

I’ve had some fun in the past asking security questions like “What is 2 + 2?” and making the answer something that’s not even a number. The look on the face of a would-be hacker as he or she is informed that the answer is not 4 is priceless. (I was in the same room with a friend when she tried to access my Gmail account as part of a prank once.)

Here’s some more reading on security questions if you’re interested:
http://www.goodsecurityquestions.com/
http://stackoverflow.com/questions/104680/what-are-some-good-security-questions
http://malektips.com/online-account-security-question-dangers.html

Conclusion
All the good security questions in the world won’t save you from social engineering. In several high-profile cases, customer service representatives have allowed unauthorized users to access accounts even though they didn’t have the answer to the security questions. Of course, there’s nothing you can do about this—just do what you can and hope that none of the things you can’t fix get you in trouble. And if you’re in charge of a web service or business, make clear security guidelines and stick to them (I highly recommend The Art of Deception by Kevin Mitnick—it’s written specifically for businesspeople looking to improve their company’s security, but it’s very enlightening reading for anyone).

So what can you do right now? Most importantly, go to your email account right now and check your security. If you have weak security questions, change them. If you have an alternate email address, make sure it’s secure (or simply remove it from your account; it’ll make it a little bit harder if you really do lose your password, but it will increase your security). And if you don’t have a strong, unique password on your email account, change it! If you can only follow good password guidelines on one account, make it your email.

As for other sites, if you don’t want to go through and change all your security questions now, at least try one of these methods the next time you’re signing up for an account.