Falling Over Fallback Password Questions

By Brad Stone
kindergarten class(Credit: Susan Farley for The New York Times)

Some major sites on the Web want to know: What was the last name of your kindergarten teacher, the name of your dog, your mother’s maiden name, the brand of your first car or in what year did you graduate from high school?

These are some of the commonly asked “fallback questions” that Web sites pose to users who need to reset their passwords. Some are just as difficult to remember as the password itself. Others are easily guessable (here’s a list of common pet names, for example.)

Internet companies want us to pick complex, hard-to-guess passwords. As memory-challenged Web addicts, many of us are hopeless at the task. So we resort to punishing our brains to recall which fallback question we selected when registering on the site, and what, darnit, was the name of that kindergarten teacher anyway?

Markus Jakobsson, principal scientist at the Palo Alto Research Center, and his colleagues, think there should be a better way. In a talk at Security and Human Behavior workshop here in Boston this week, Mr. Jakobsson posited that most of these fallback authentication mechanisms either confound the user or ask for information that an attacker could easily obtain by accessing public records (or a social networking or genealogy site, for that matter).

Mr. Jakobsson and two colleagues have proposed an interesting alternative called Blue Moon Authentication (because you only forget your password once in a blue moon, ideally.) While registering for a site, users are asked to select from a long list things they like and dislike (punk music, golf, southern food, for example). If they forget their password, they return to the site and are presented with the list of items they selected. Then they have to specify whether they like or dislike those things – a quick personality test. Forget about plumbing the depths of your brain; just be yourself. “It turns out very few people have a hard time remembering who they are,” Mr. Jakobsson said.

In a research study of 423 college students, the group honed their questions and determined that the probability that an attacker can answer all the questions accurately was less than one percent. The chances of a legitimate user failing their own personality test was close to zero (although whether people’s choices will change over several years is an unanswered question.)

Mr. Jakobsson says that a major Silicon Valley company has completed testing the Blue Moon system and is planning on introducing to their North American user base later this year. If it takes off, you can safely forget the name of your kindergarten teacher.

Comments are no longer being accepted.

rlsrd July 1, 2008 · 1:55 pm

What a great scientific study. He tried it out on college kids whose brains are in they’re primes. Try it out on the 50 ish and above and your results won’t be as astounding. I liked the Microsoft passort idea where you singed up and one logon and password worked for everything.

Mac July 1, 2008 · 2:06 pm

Criteria requirement for each password varies, so when you set up password, it is based on the given criteria such as, 4 digit numeric, 5 digit alpha-numeric, or capital sensitive etc. Many a times you can recollect or remember the password, if you remember the criteria. Also numbers of times you are allowed to try is not more than 3 times and may easily finish that. If I am rushed I generally readily agree that I forgot the password. If given more options it is likely that can figure out the correct password. Please HELP.

J. Greene July 1, 2008 · 2:26 pm

There are a few sites that are also starting to use these questions as a verification device–you log in with your user name and password, and it then asks you to answer two questions.

I absolutely hate it, and if I didn’t have to go to the site to conduct business, I would never go back.

Janet V July 1, 2008 · 2:35 pm

Finally, some common sense! Especially since we are now warned not to use the same password across different sites, just in case one is compromised. I’ve had my answers revoked because I entered an answer with “Mrs.” with a period but typed in a response without. Or vice versa.

Lorne July 1, 2008 · 2:35 pm

That’s a really great idea.

I feel the typical “fallback questions” are a horrendous security idea. What if THOSE answers get breached and obtained by someone else? That’s even WORSE than getting the password…

Karyn July 1, 2008 · 2:49 pm

Call me foolish, but I usually use different passwords with the many accounts I open (probably too many). I often forget them although I remember my pet, my mom’s maiden name, etc. I use different names because I fear that if my password is discovered all my accounts will be in danger, does anyone elsse do this? Some times I feel that I should cancel all my passwords and start over with just one.

Joe C from Austin July 1, 2008 · 2:50 pm

How are the answers stored –are they encrypted in a way that prevents an unscrupulous system admin or hacker from viewing them and then using them to gain access to another system that user has an account on?

Of course encrypted password files are not completely secure: a common problem is that hackers can encrypt likely password choices and look for matches in the file. That’s why users are told to avoid dictionary words and common terms. Is the encrypted answer set even more vulnerable to such matching algorithms?

A quick scan of the paper this article references to answer these questions finds only an unsettling one-sentence answer: “It is assumed that the
submission and storage of the answers is done securely.”

Also: to set this up a user is expected to answer a series of questions at a time when they are trying to create an account in order to carry out some other (possibley urgent) task such as paying a bill. Will there be checks to prevent a user from giving the same answer to every question?

The master key had better be very hard to copy if you are going to use it on every building in cyberspace.

eli baker July 1, 2008 · 2:51 pm

Many years ago the very famous psychologist, Tolman, stated that ‘students are not people.’ Yet, they still insist on testing these non-people with no life experience and then suggest we alter our behavior because some 18 year old kids did this or that.

Have you ever spoken to the average 18 year old? Would you like to alter you life because of what he or she says or thinks?

Josh July 1, 2008 · 2:54 pm

While this could alleviate many problems with respect to certain types of hackers, I would be interested to see how those same test’s are done with someone that knows you extremely well (i.e. ex-wife, ex-girlfriend, ex-bestfriend). I would imagine that most people breaking into your account with that kind of information (i.e. kindergarten teacher, pet’s name, etc…) might know you well enough to pass this same kind of test?

It seems that a lot of hacker scheme’s are still going to do some kind of scam to try to get your password, then what after they get it?

While it might help people who forget their passwords, I am not sure if this type of product is any safer than all of the other current security features already available. Ofcourse, it depends on how you define “safer.”

Richard Miller, Evanston, IL July 1, 2008 · 2:54 pm

There is a much easier way to manage this — simply choose one answer, and only one answer that you can remember and put it everywhere, whatever the question, e.g., Question “Name your favorite pet?”, Answer “spot”. Question “Name your 3rd grade teacher”, answer “spot”. Question “On what street did you first live”, Answer “spot”.

The database doesn’t care what the answer is, or if it has any real meaning in context. All the database looks for is if the answer matches what you had typed in earlier. I’ve even used this for multiple questions on the same website and it seems to work.

Now if only the internet companies recognize their errant ways and start providing technology solutions that ease existing pain points, instead of creating new ones.

And a plea to those companies — please don’t modify your websites so this workaround is no longer viable. Thanks

Nick Gould July 1, 2008 · 2:55 pm

This is neat… but the connection, however abstract, between the person and her attributes and preferences would seem to be a risk. For example, if I am trying to steal the identity of someone I know, could I not guess at their responses? Even so, I think the idea is great. I am constantly forgetting my passwords and resetting them. I’ve just been waiting for a good fingerprint-based method. Retinal scanning?

Ro July 1, 2008 · 3:02 pm

I’d be curious about how Jakobsson proposes to make people comfortable that their “personalities” wouldn’t be available to the highest bidder (or to a hacker). Seems like marketers would pay a lot of money for this sort of information.

Yeah, but July 1, 2008 · 3:06 pm

But what about those of us who want to protect our privacy and don’t want to give truthful answers to personal questions? How do we know that Blue Moon won’t use our answers for advertising purposes, or worse? And even if Blue Moon is legitimate, how can we be sure that others who use the same technique are? It seems a damned if we do, damned if we don’t solution. If we answer the questions truthfully, we are giving very personal information to an anonymous person. If we don’t answer truthfully, we can’t remember our answers. Isn’t it easier to remember that your first dog’s name was Lassie, even if it wasn’t?

John Earnhardt July 1, 2008 · 3:18 pm

Kindergarten teacher: Bonnie Smith…aka Mrs. Smith.

Kate July 1, 2008 · 3:22 pm

Subjective password questions (what is your favorite whatever) are problematic. Answers change, and there’s no indication of when the user filled out the form.

I am a lot more likely to lose access to a site because I can’t remember whether my favorite pet is one that’s now been dead 3 years or the one sitting next to me than I am to be impersonated by someone who figured out my first pet’s name from publicly accessible information.

jeffrey Talbot July 1, 2008 · 3:34 pm

Ugh!

I usually just put the same answer in ALL the fallback questions..

What was your 1st grade teacher? alex
What was your 1st pet’s name? alex
What High School did you go to? alex
What’s your mom’s madien name? alex

and one and on.

This works for the most part but SOME sites now what a different answer for each darn question!

Ian Gilbert July 1, 2008 · 3:36 pm

Some sites let you write your own security questions — Uncle Hiram’s favorite team? Matilda’s favorite food? (Matilda could be a friend, hair stylist, boss, professor, cleaning lady.) When your plane dropped 500 feet, where were you going?

There are freeware and payware apps that generate nonsense character/numeral/symbol strings that can be used as IDs and passwords. I use Roboform, which remembers the strings I’ve assigned to each site. I activate Roboform with a single password, and the program fills in the data with no keystrokes. It attaches to your browser, can be used on multiple computers, and can be synchronized easily across computers.

I have to remember only one password. To access an account of mine, the hacker first has to guess that my user ID is something like &Bsu*9w!%efaDBf. Then my password for the site might be 2l9rRTD&rgfG3$G.

If you can remember whether you prefer Twinkies to Poptarts, you can figure out how to work one of these programs.

Washington DC

Shana July 1, 2008 · 4:09 pm

This is such a fantastic idea. I haven’t been able to pay my Old Navy credit card bill online for months because apparently, I can’t remember the first company I worked for. It’s a real pain in the butt.

Tungbo July 1, 2008 · 4:11 pm

Another pernicious effect of such questions are the cumulative amount of personal data being collected by unknown entities. Website owners often outsource their website management and/or security to outside firms. So you have no idea who has control of these data. While individual pieces of such data may seems innocuous, together they make an identity thief’s “social engineering” task much easier.

William Madden July 1, 2008 · 4:30 pm

Where is “Onsager” among the pet names? Most of my colleagues agree it should be near the top!

Richard Lavin July 1, 2008 · 4:30 pm

No good. I’m ambivalent about almost everything.

bubba July 1, 2008 · 4:34 pm

is this what passes for “science” these days? yike! i wonder if it wouldn’t be more honest to simply hang up a sign that says “sorry, but we’re all out of good ideas”.

Joseph July 1, 2008 · 4:36 pm

Tastes change. Sometimes frequently.

DougTerry at terryreport.com July 1, 2008 · 4:39 pm

The whole password thing strikes me as a fig leaf, anyway. It is a bit like “security” at the airports: put on a big show and maybe the dummies in line (all of us) won’t notice the massive failings of the whole system. At the airports, the biggest change since 9-11 is the one that almost no one notices or even knows about: making the pilot’s area “hardened” so that no one can get in once the door is locked, short of dismantling the aircraft.

Many, if not most, people use utterly dumb passwords, as though there were no chance of anyone ever wanting to break-in. I know of a college student who used 1-2-3-4-5 for her access to “protected” portions of the college website. Everywhere you go, every time you log-in, everyone wants a password and then they tell you know not to use the same one repeatedly. Who can remember six randomly selected letters and numbers for 12 different sites? If you write it down, aren’t you then violating the idea of the password in the first place? But you’d have to have them written down if you are taking a trip and stopping off at Internet cafes, and someone could easily see the passwords over your shoulder.

The system is silly, doesn’t really work, provides minimal protection and, hey, let’s all play along for a few more decades. “If it helps with our security, I’m all for it.” (Speaking of which, how did every woman at every airport learn the same sentence to recite to television interviewers?.)

zachary vine July 1, 2008 · 4:44 pm

That sounds great to me: I can’t stand the old system; but I’m an elementary school teacher!