I really hate secret questions

[Don]

Today I was trying to cancel my RIFT account and you need to give them your secret question to cancel. Of course I have no idea what it was, so I ended up calling them and they just asked for my address, account name, and date of birth and then canceled the account. I don't know about you, but I'd think it's easier to find out this stuff compared to my password. I think although security people are always talking about passwords are obselete, it's still surprisingly good as a mechanism. Unless your password is something like 'password' it is fairly difficult to defeat it by brute force, and even if it was possible there really isn't any reason why a potential hacker will devote time to crack your password when he can just go for guys with far more insecure passwords. The major hacking stuff we heard about generally consist of the server storing the password getting hacked, and in this case it wouldn't really matter how secure your password is, especially since some of the companies actually store passwords in plain text. A keylogger would obviously defeat any amount of password, so security there probably isn't going to help.

Now of course there are better ways to do security (two-factor authentication being the most common ones), but I think secret questions are the least secure way to do it. I know my friends all know each other's secret questions if they actually picked an answer that's true as opposed to just using the secret question as another password field. After all if your secret question is 'where were you born' there really is only one correct answer to that assuming you're not lying, and this information isn't too hard to find or even guess. Another thing I noticed is that answer to these secret question are case sensitive, even though some of them can be answered as a phrase. So if the answer to your secret question is 'a and b', you could come back a few year later and not sure if you typed 'b and a' or 'A and b' or 'B and a' or 'B and A' or 'A and B', or even 'a/b'. I find that to produce answers that are even halfway reliable I'd have to write them down, and if I have to write stuff down I can also produce perfectly secure passwords too, and of course writing anything down kind of defeats the purpose of being secure in the first place.

Although security isn't easy, if you just say ignore problems where any strength password would be irrelevent (phishing, keylogger, etc), then I think this is a solved problem with well-known ways to make it practically impossible to beat by brute force. I understand security guys want to make stuff foolproof, but as someone said before, fools can be very resourceful. Outside of two-factor authetication, I find most security themes don't really make you any more secure but it sure gets a lot more annoying.

[Lox]

Using "secret" questions to reset a password is ok as long as it only generates an email to you that lets you change your password since you've, hopefully, kept your email password secure and unique. If the site lets you change your password on the spot based on the questions, that's a big problem.

Because secret questions aren't really secret (even though everyone acts like they are), I tend to create answers to the most common questions that are not correct and then I use those anywhere they are required. It's the same way we act like social security numbers are these perfect, secret identifying numbers when, in reality, every company probably has mine on file and anyone can get access to it.

I've been using a completely unique password for every site I visit for a few months now. I come up with mnemonic devices to remember them and it's worked pretty well. I also keep the passwords stored in an encrypted file using KeePass which requires an insanely long, non-dictionary password plus a key file to access, so I am pretty confident no one is getting into it. Then, if I do forget a password, I can access my KeePass file to look it up.

[Don]

I was pretty surprised the secret question was actually used as a method to authenticate who you are. I can't even log in my account without my secret question after I provided the correct password.

Using KeePass is just like a more secure way of writing stuff down. It's got its own problems like what if the those guys ever got hacked, or what if you ever forgot your complicated password. One of the guy giving presentation on security says he's got like 100 unique passwords and if for whatever reason he can't access his KeePass he's totally screwed because he obviously cannot remember them all, but he doesn't really have a better way to go about it. I'm not sure if sending reset stuff to your email address with weak credentials is a good idea to web email since it's not like standard email where if you downloaded something nobody else can see it, so someone may have had your email adress password and it'd never occur to you that someone else is logging in your account.

I suppose you can use secret questions like another password, like say the answer is always "Megaman" for any question, but then you're just remembering two passwords and there's no reason to believe 2 is better than 1. If you mean to put different, incorrect answers then chances are you'll eventually forget that your favorite color is "Megaman" at some point unless that's the only answer you use for those. I know I've tried to create clever answers to those questions only to come back a few months later and have absolutely no idea what I was thinking at that time. At least nobody is going to get in either!

[Kupek]

Bruce Shneier: Write down your passwords.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

[Lox]

Bruce Shneier: Write down your passwords.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

Very good point. It's not like someone is going to break into your house to find your secret passwords sheet. haha

That reminds me...I really need to write down all of my passwords and put them somewhere that my wife can get to in case something ever happened to me and she needed access to our accounts.

Don, as for KeePass, they aren't storing your passwords on their servers. It's just a small application (I use the portable version) that loads a file that you maintain. If you want you can keep that file in a Dropbox folder or something. I keep it on my phone and use a mobile version of Keepass.