Image of the glider from the Game of Life by John Conway
Skip to content

Tighten the Security of "Security Questions"

Some of you may remember the email hack of Sarah Palin's email by David Kernell in 2008. The Wikipedia article describes how this was done:

The hacker, David Kernell, had obtained access to Palin's account by looking up biographical details such as her high school and birthdate and using Yahoo!'s account recovery for forgotten passwords.

Ever since then, I decided to change how I answer these "security questions" on websites. Knowing what I know about security and cryptography, I applied what I knew to these security questions. Here's how I handle them now:

  1. Generate a random string of characters, known as a "salt". Something like "Ga0Au1Ieshea".
  2. Answer the question. If the question is "What is your mother's maiden name?", suppose the answer is "Smith".
  3. Apply MD5(salt+answer). In this case, it would be MD5(Ga0Au1IesheaSmith) which results in "28e03f4c2d90b8c1120bf541927976f1".

So, when the site is asking you "What is your mother's maiden name?", the answer you would provide is "28e03f4c2d90b8c1120bf541927976f1".

Obviously, there are a couple concerns that you should be aware of. First, the form field might have a character limit. Adjust accordingly. You could provide the first x-characters, based on the restriction. Personally, I've never seen this restriction, but I certainly won't say that it hasn't been implemented. Second, it's critical that you generate a strong random salt, and that you keep the salt private. If the salt is known, or weak, then this whole thing falls apart, and you're no better off than just providing the answer to the question.

But, if you do everything correct, then you have tightened down these lame "security questions", and the attacker will not be any more successful than hacking your account password. And, by using a cryptographically secure hashing algorithm, the output will always be the same. Feel free to use SHA1 or some other hashing algorithm instead of MD5.

{ 9 } Comments

  1. Christer Edwards | March 5, 2012 at 4:44 pm | Permalink

    Get someone to write a browser plugin to automate this.

  2. tensai | March 5, 2012 at 5:19 pm | Permalink

    I just do the same thing I do for all passwords: generate them randomly (or semi-randomly, as seems appropriate) and write them down in a password database. I just make sure to note which of the questions I gave an answer to.

  3. Richard | March 5, 2012 at 5:26 pm | Permalink

    Websites usually handle the answers to these security questions case-insensitively. So by using a hash-based answer be mindful that you're forced into case-sensitivity with your plaintext (including the salt), i.e. the words "Smith" and "smith" are no longer equally acceptable answers.

  4. Aaron Toponce | March 5, 2012 at 8:58 pm | Permalink

    Richard- Good point. I guess you'll have two hashes to choose from then, if you can't remember whether or not your mother's maiden name starts with an uppercase 'S' or a lowercase one.

  5. Ricardo N Feliciano | March 6, 2012 at 5:38 am | Permalink

    Curious, how would you say your idea stacks up against using the password. I usually use my password, or maybe my previous password (I change them every 6 months), as the answer to security questions.

    I ask because using a salt, and keeping it private, is sort of like having a password anyway.

    In my opinion, sites that force security questions, (usually banks for me), actually weaken the security on my account, as in the example you provided.

  6. Aaron Toponce | March 6, 2012 at 6:18 am | Permalink

    I wouldn't recommend using your password as the answer to these forms, for two reasons. First, the point of these forms is in the event that you have forgotten your password, you can recover it. Second, the password SHOULD be hashed with a salt on disk by the provider. The answer to the security questions probably isn't. So, providing your password in all fields could potentially open your account up for attack by the site administrators. Further, because these form fields are not encrypted, providing answers in the clear could build up an identity about yourself. Best to hash the answers, IMO.

  7. Alan Pope | March 6, 2012 at 8:36 am | Permalink

    I just lie when asked security questions. Much easier 🙂

  8. Steve Spigarelli | March 6, 2012 at 8:48 am | Permalink

    Of course, the only time this falls down is when you need to provide a valid representative with your security question's answer. For password recovery and such this makes a lot of sense.

  9. Aaron Toponce | March 6, 2012 at 11:49 am | Permalink

    This doesn't fall apart at all. It just makes it slightly more difficult to read over the phone.

Post a Comment

Your email is never published nor shared.