• United States




A quick fix for stupid password reset questions

Sep 27, 20164 mins
AuthenticationCybercrimeData and Information Security

This ridiculous feature is a major vulnerability. If you're forced to use it, here's how to make it more secure

It didn’t take 500 million hacked Yahoo accounts to make me hate, hate, hate password reset questions (otherwise known as knowledge-based authentication or KBA). It didn’t help when I heard that password reset questions and answers — which are often identical, required, and reused on other websites — were compromised in that massive hack, too. 

Is there any security person or respected security guidance that likes them? They are so last century. What is your mother’s maiden name? What is your favorite color? What was your first pet’s name?

The “hardest” (if I can use that term) questions may have up to 100 or 200 possible answers, and only if you aren’t forced to choose predefined answers. Thanks to the advent of social media and online (often illegal) record-check websites, these questions aren’t difficult to guess.

For decades we’ve known that password reset questions were the weakest link within any authentication system. Hackers love them. While they may supposedly protect passwords with a decent level of complexity and entropy, a KBA question answer almost always lacks both.

You probably remember the Sarah Palin email hack. The convicted hacker described hacking the KBA questions as so easy that he couldn’t call it hacking — apparently, he used a Wikipedia article to find Palin’s birth date, a common security question at the time. Mitt Romney’s account got compromised due to knowledge of his favorite animal.

Even very good security researchers and reporters get KBA-hacked. No matter how good you are at security, you’re left with no security if a website requires you to use weak KBA questions and answers.

What to do when you’re forced to use KBA

Millions of websites and services often require that we use KBA systems. If you want an account, you must supply at least one (often three) KBA answers (sometimes questions, too).

Here’s what you do: Treat the KBA answers like a password. If you’re asked for three KBA questions and answers, make all the answers separate, nonsensical, and passwordlike.

Never put in the real answer. Don’t even put in possible fake answers that look realistic. A hacker will have an easier time guessing that your favorite answer is aardvark, then SimpleMan7!.

What I’m saying is to invent separate “passwords” for each KBA question, and make sure you don’t repeat them between websites or services (although I am OK with using the same KBA password answer for all questions on the same site if allowed). In my experience, most websites requiring KBA answers don’t track to see if your answers are unique between questions, but about 25 percent do.

You don’t want to use the same KBA answers between different sites — if one website gets owned (like Yahoo did back in 2014 … and you’re finding out about it now), the attacker might trying using your KBA on other websites they haven’t hacked. That’s what I’d do if I were a malicious hacker.

Yes, this means you have to write down your KBA questions and answers for each website, in the same way you might already store your current passwords. Hopefully you never store your password in complete, plaintext form, although I guess you’d have to do so with password storage methods that autofill your answer. I don’t trust password storage systems any more than I do KBAs.

Most sources that recommend stronger KBA answers also suggest using answers that hackers would never guess. That’s not enough. You need to make sure the answers aren’t anywhere near any possible real response (for example, a complex string of characters) and remember not to reuse them between websites.

I know it’s a pain, so remind those websites what century we’re in and make them start using two-factor authentication instead. That way your embarrassing pictures or personal emails won’t end up on the web because your provider was horrible at security.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author