My Profile Photo

chris.heald.me


My personal blog. Software, devops, security, music, and general nerditry.


Stop using social information as passwords and security questions!

Hacked! I have a friend who recently had several of his online accounts compromised. The attackers weren’t particularly clever, didn’t use any special tools, didn’t install any viruses on his computer. All they needed was to see his public Facebook profile. From that, they were able to divine his birthday and security question answer - all that was needed to get into the mail account - and from there, they had access to every account online that he’d registered to that email address.

The problem is this: Your email is a de facto master password for everything you do online that’s tied to it. This means your MySpace account, your instant messenger account, maybe even your bank account. Once someone knows your email, they can start to attack weak points in your account. Hiding your email isn’t practical, so you need to make sure that your passwords and security question are rock solid secure.

A “security question” is a question that you provide an answer to, so that you can recover your password if you ever forget it. For example, a site might ask you to answer the question “What is your favorite color?” in order to start the password reset process. The concept is that by providing an answer to a question that only you would know, you create a “backup” password that you’ll be able to remember.

An extremely common “security question” might be something like “What is your mother’s middle name?” or “What street did you grow up on?” While these might have been reasonably secure in the past, they’re horribly insecure these days. The saturation of social information on the web makes it extremely easy to research these answers and arrive at questions in seconds. Facebook notes connections between yourself and your relatives, so how hard would it be to find your mom on Facebook, and then Google her name, or find one of her parents on Facebook?

In the case of a “favorite color” question, this one isn’t going to show up on your social networking profiles - maybe not explicitly, but an attacker has two direct attacks: First, look at how you’ve customized colors on your profile page. Do you use purple heavily? Maybe you have a fondness for green text. That has a strong potential to betray your answer. If that fails, the attacker has a pretty small set of potential answers - most people would answer that question with one answer in the set “black, blue, green, orange, pink, purple, red, yellow, or white”. 9 attempts and an attacker will be into the account in no time.

Famously, Sarah Palin, the Republican vice presidential nominee recently had her Yahoo! email account compromised. The attacker simply had to answer a single security question to gain access to her account: “What is my zip code?” How hard do you think it would be to find the address of a government official with Google? Might take six, maybe seven seconds top?

If you’re at all active online, there’s a lot of info about your social connections, family, pets, housing history, the works. Someone determined to get into one of your accounts won’t have a hard time finding your dog’s name (Ever put their name into a caption on one of your Facebook or Photobucket pictures?). Many, many people use pet names, pastimes, relatives’ names, and other social information as passwords and security questions. It’s no longer secure.

The solution is to choose passwords and security questions that are nonsensical. The best passwords are 8+ characters, and consist of upper and lower case letters, and a number, and even possibly some punctuation. If you have problems remembering nonsensical passwords, then use an transformation scheme. Presume that your password is “jeremy”, your brother-in-law’s name. Maybe your rule is that you shift each letter two down, and capitalize the third letter.

j -> l
e -> g
r -> t
e -> g
m -> o
y -> z

Your new password is “lgtgoz”, and if you capitalize the third letter, that becomes “lgTgoz”. It’s still not optimally secure, but it’s far, far better than it was before. Nobody is going to guess it, and you can still remember it by just remembering “jeremy” and your rule.

Ideally, you’ll use a different password for every login, always pick 8+ character passwords with a diverse character set, and have them be completely randomized. In reality, people don’t want to bother with that kind of maintenance, but at the very least, stop using social information for your security questions, passwords, and the like.

comments powered by Disqus