[unisog] Password Reset Procedures - How do you do it?

Gary Flynn flynngn at jmu.edu
Mon Jun 8 12:30:46 GMT 2009

John Ladwig wrote:
> On Sat, Jun 06, 2009 at 06:52:04AM -0400, John Grover wrote:
>> One idea I got from it that I hadn't considered before is that the questions
>> should be opinion based because it may be harder for me to know your opinion
>> of something than to know a fact about you.
> How do you deal with considerations of opinions changing over time?
> "What is your Favorite ..." questions have been a problem for me in
> the past, and I've seen others report the same issue. 

I don't think there is a wrong or right answer to this. Actually,
there are probably multiple wrong answers. The idea of using
unadulterated answers to simple questions of any type as
replacements for passwords without a second factor (e.g. an
alternate email account or cell phone) is rather comical if you
think about it.

If you use fact based questions, you risk one or more of the

1) Inadvertent or intentional collection of personal information.
    I'm not sure its a good idea to store personal information about
    people other than the customer (e.g. sibling birthdays, maiden
    names). Or a mass of personal information in general.

    (And watch out for user chosen questions and answers. We've had
     people ask 'What is my SSN' and other sensitive questions)

With both fact or opinion based questions you risk:

2) Information that is directly obtainable through the many search
    engines or social networks.

3) Facts that are limited in choices or can be limited by #2 so that
    the answers are relatively easy to guess.

The situation is worse for high value targets that may lead
a motivated attacker to use for pay services to find fact based

Bottom line is that secret questions are pretty silly if implemented
so they're easy to use. They're static passwords that break every
password best practice. I don't think they should be used for high
value/high risk targets by themselves. Some things shouldn't be
easy or convenient when the subject is responsible for protecting
constituent or organizational data or services. Personally, when
forced to provide one, I've been providing answers having nothing
to do with the questions.

OTOH, for low value/low risk targets, they may be just fine and the
question of opinion vs fact may be determined primarily by
the one that is most accurately remembered by the user as long
as the questions are carefully considered so as not to collect
personal information or limit the choices.

A recent paper explored the effectiveness of secret questions:


There was a recent thread about secret questions on the Educause
Security list entitled 'Challenge/Response questions' at:


It contained more links to papers on this topic.

Gary Flynn
Security Engineer
James Madison University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3229 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20090608/4ee267de/attachment.bin 

More information about the unisog mailing list