Password Managers and Security Questions

July 24, 2015

Nowadays, with all the website hacks the user credentials leaked, a password manager is one of the most valuable assets. It allows you to use a different, ridiculously long and completely random string as a password for every website you visit.

That way, even if a website is actually hacked, and the hackers retrieve the password hashes, it would take them billions of times the age of the universe to crack your password. But even if they managed to do that, or if the website stored the passwords in a plain-text format, getting the password would serve them of no use.

When obtaining such a large password database, attackers try to use the same e-mail and password combination to other services, such as Gmail, Facebook, etc, hoping that you reused your password. But this is not the case for you. Every time, a different password is used.

But what if the attackers didn’t have to crack your super long password in the first place? What if they didn’t even have to hack the website and obtain the database? What if they simply had access to your security question answers?

What was the model of your first car? or What’s your grandmother’s middle name? are actual security questions being used in online services, including some critical ones. In the age we live, all this information is available to literally everyone with access to Facebook. We provide this information to everyone, yet at the same time use them as keys to our accounts.

Google, Apple and Facebook have started moving away from this kind of weak authentication. Some other companies are yet to follow. What can you do in this case? How can you protect yourself from them?

What I do in these cases is pick a random question, and then generate a 50-character long string of lower and upper case letters, numbers and symbols. Afterwards, I save both in my Password Manager of choice, 1Password.

Using this technique, I end up with results such as this one:

What is the name of your first school?

DzLCMpeyuAhAT>RgTuvJPna2s3K)8dUM^V$(QUNu#omuByCvJ8

Even if someone knows what was the name of my first school, they simply cannot know the answer I gave instead of that in this question.

Now with this little background information about my choices of security question answers, let me tell you a story from today.


I was trying to log-in to a service I had months to use. For some reason, I could not log-in to the service using the saved credentials, and since I was left with only one attempt, I decided to contact support.

I used the Live Chat functionality, and after some time waiting for an agent, I managed to hear read a warm Hello. I simply described the problem, which was my inability to log-in. The Customer Support Agent kindly requested me to provide my birth date, which I provided to the website upon registration. After that, he asked for something he better shouldn’t have asked for; the answer to my security question.

What was the model of your first car?

I paused for a second, and then replied back to him:

These questions were assigned completely random answers.

In the form of sequences of digits and letters

Let me see if I can find them real quick

Apparently, this was something new to him, so his reply was:

wow

how would you ever recall that?

To which I simply replied,

Security Questions are a weak second factor of authentication..

I use a Password Manager

He then proceeded telling me what the issue was:

This is the issue

This is why you cannot login.

You used a code generator, but not for a code.

I couldn’t exactly understand that last one, so I asked for a clarification:

What do you mean?

In which I got a reply:

This is the idea, that a secure asnwer is not a code, it’s an easy detail to remeber in order to reset a code.

So apparently, a code is a password. My mistake was using a Password Generator for some place I shouldn’t. I replied to this by providing more details:

Yes, but other people can discover it that way..

My first car model is on Facebook

This last sentence is not true, since I do not have a Facebook account, but it could easily be true for 99% of the other customers.

The reply I got was an:

Oh

I see

I then provided the answer to my actual security question:

This is the answer to my Security Question:

VZ@DXY^qCGQn9kQM3vaLLNq;UjGNdRQ==dyT2,Qw7vmaBAa;pm

Weird car model, eh?

He then asked me to perform something urgently:

I need you to do something urgently

I need you to login as we chat.

and reset a secure answer,

A real secure answer.

The problem was indeed fixed and I was able to login again. Then, the Customer Support Agent added a few words of wisdom:

Now remember that

If you hide something so well that you cannot find it, it had better be a nuclear war head.

At which point I decided to make use of my live chat time to ask one last question:

Can I do ‘X’ with ‘Y’?

Of course, the reply was helpful:

As long as you did not encrypt your ‘Y’ access too well.

Yes, you can do it here. Click here for more information.

My problem was fixed after all. But I was disappointed. Not because of the irony in that last part. Because of the lack of education some people have. And these people are not to be blamed. It’s not always their fault. It is our fault too. We fail to educate people about basic security practices they must follow online to stay safe. Everyone knows that locking their house’s door with a lock and a key increases their security. But nobody knows the equivalent in the digital world. And with that tremendous impact of technology in our daily lives, we must start learning how to secure our digital house too.

Companies must invest in real security and not follow the “tradition” when designing a service. The tradition is just too old for technology. Things change so rapidly that even a month is considered a huge time frame in some cases. Let alone 10 years which is probably the time Security Questions were used almost everywhere.