Elton Hay spotlights the problems associated with the challenge question approach to forgotten passwords

One way to look at the issue surrounding the strength of passwords is to see the account access process as having two paths.

The first path asks the question: "what is your password?" and if the user supplies the correct answer they are let in. If the second path is taken - usually if the user cannot remember the answer to the first question - they get another question, the challenge question. Get the answer right and access is granted - after supplying a new answer to the first question.

Either path asks a question and the strength of the answer determines the strength of the authentication - and the two strengths should be comparable.

The weak link

The core issue is how to make the challenge question and answer path as strong as the password path. While user supplied questions and answers can be constructed to be very strong (even stronger than system-supplied questions) in practice user supplied questions and answers tend to be very weak. The user is usually in a hurry, and will often do something quick and simple so that they can get on with their real business.

By having the system supply the questions, the answer can be somewhat controlled and the resulting strength of the answer is more predictable and stronger in most cases than a user supplied question and answer.

Questions like "name of country and city of birth (e.g. Sydney, Australia)" presupposes the answer to be at least two words - a significant increase in complexity already. By supplying an example answer with each question it also predisposes the format of the answer. Questions like 'full name of mother' also usually entail two or more words.

Today, systems are deployed on a worldwide basis. Not only do you need to have all the various language translations, you also need to be sensitive to gender, age, race, ethnic, political, religious, geographic and similar issues. Questions like "mother's maiden name," "name of high school last attended," "your father's middle name" are not appropriate in all parts of the world.

In fact, it has proven rather difficult to come up with questions that do not offend someone somewhere at sometime. After some trial and error and constructive feedback, I have found questions that are more or less acceptable.

These questions tend to have an answer that is a location, full name of a relative, the name of a company or the name of work of literature. While there are some issues with each of these categories, they tend to be fairly neutral and result in complex answers. The answers are still subject to a dictionary attack, but the size of the dictionary for places, people's full name, company names and works of literature is significantly greater than a dictionary of favorite colors or names of pets.

Providing protection

An additional approach that is being used by some systems is to ask not one, but several questions. The system will have a set of questions (say 12), the user is asked to answer some subset (e.g. seven) and when the time comes, the system asks for the answers to a randomly chosen subset (maybe four) of these previously answered questions.

The combined strength of answering several questions is much stronger than answering only one, and the sub-setting and randomness adds a level of complexity that helps deter hacking. By using multiple questions, one can build up the composite strength to match the comparable strength of the password.

Some systems have implemented a 'password hint' feature. When a user creates a password, they also have the option of providing a password hint.

This hint is some text string that is supposed to help the user to recall their password. Later, when the user is unable to remember their password, they ask to see their password hint. The system displays the hint, and the user hopefully recalls their password, and all is well. But all is not well, as most users just supply a copy (sometimes permuted) of their password as the hint. So, for example, if the password is 'abcde,' the hint is likely to be 'password=abcde,' 'edcba,' or 'a_b_c_d_e.'

While it is possible for a user to create a hint that works and is very secure, they seldom do, and in most cases the hint is often sufficient for a hacker to be able to determine the actual password within a few tries. Thus, the password hint feature actually significantly reduces the strength of the password and often opens the account to easy hacking.

I have not seen a scenario where users can supply a hint that does not also significantly reduce the strength of their password. I do not recommend systems use this technique as it causes more trouble than it solves.

Strength in numbers

While it may seem more user friendly to have the user supply the question as well as the answer, system supplied questions can, in general, predispose the user to supply stronger answers than they would on their own, and multiple questions can make up for the lack of strength a single question provides. n

Elton Hay, CISSP, is a security consultant working within the infosecurity industry.