Paraphrasing a great comment on this idea from the Schneier thread (sorry, I can't find it):
"Hi, I need to make a change to my account."
"All right, ma'am, I'll have you just answer this security question first: What is the make of your first car?"
sigh "So, look, this is going to sound really stupid, but for these questions I always use random words, and I lost the paper where I wrote them down... I'm really sorry, I just don't remember what they are. It's not a real car make, if that helps, it's just some random nonsense words."
"Uh, let me just talk to my supervisor." [hold] "What can I help you with today?"
If multiple sites use the same security question, they will contain the same answer. Therefore if one site has been compromised, someone could use it to login as you at another site.
To fix that you need to add the site itself to the data to hash.
I don't understand why people are trying to come up with such complex solutions to Password and Security Question retrieval when portable and open source solutions, like Keepass[1][2] exist.
Just store your "random" Security Question answers alongside the login credentials - they'll be encrypted safely.
And now you don't remember if you used an uppercase, or where you put spaces, or where you put a dash, or whether you used 1st or 'first', and then you're screwed, because for the hash you need you input to be byte-for-byte the same.
Password management is not a technical problem. All these 'solutions' to passwords being 'insecure' massively miss the point - which is that people just forget things, especially when they need to remember dozens or hundreds of them. Use a password manager and get rid of these nonsensical hacks.
The simplest solution I've had is to keep a notebook where I for every page I write down the security questions and my answer. This is done because I have a bad memory, not as an attempt to salt, but it is a good point that we should try to answer these questions differently every time.
This is used for the few times where I have to do password recovery / phone support, I just grab the book.
For normal password usage I use automated hashing system in Firefox.
I treat my security questions exactly the same as passwords, just having a different prompt. The answers are long, randomly generated and not stored in my brain. And the same question for different sites have different answers.
Instead of paper I do use a password program, and ensure that the encrypted data files are replicated to several different places.
You've updated to make it easier to say over the phone, but it doesn't help for being asked over the phone. Can you trust the person you're talking with to accurately say "What is the make of your first car?", or might they read "What was your first car?" or similar. Even if you specify to them over the phone "please read the question word for word", maybe their system is one with a few built-in standard questions, and all they see on their screen is "first car".
Why bother generating a hash based on your password and secret question? Just pick five random words and store those in your password manager as well, along with the question.
# gsort -R /usr/share/dict/words | head -n 2
inductory
thingstead
"What was the make and model of your first car" - turns out, I was driving a brand new Inductory Thingstead, and changing the minute details of the secret question (or me changing the password) won't affect anything.
(One potential downside is having to tell an operator that your car was a "trichroic somatopsychic", which would just take extra time to spell out, unless they see the answer in plaintext.)
There's also a risk of them changing the question text on the website. Maybe they did a redesign and need the text to fit into a smaller area - who knows.
A workaround may be to just simplify the phrase to "first car" and use that.
FTR, some EU countries have viewed standard security questions (e.g. date of birth) as not being sufficent protection for personal data, and hence it could be illegal to store personal data that way.
If you're in the EU, and are storing personal data, you are legally required to protect it. Think carefully about how you set up your EU based web app.
I still can't get back into my very first e-mail account. How the hell do I know who I loved most in sixth grade? I got a different crush every monday, and was convinced we were made for each other.
This changes the situation from "What was that password again?" to "What algorithm did I use for this site?", and given that I'm already pissed off at having forgotten my password, the likelihood of my remembering this goes down significantly. Which makes me even more pissed-off.
IOW: When designing a scheme like this, the fact that you'll be angry when trying to actually use it at some point in the future becomes an important design constraint.
I don't understand how this would solve the problem that security questions are trying to solve.
Basically, you just want something that you remember and/or infer easily in case you forget your password.
If you use a passphrase as a salt to build a hash along with your security question then you are not really solving the problem.
You still will have to remember the passphrase in order to build the hash. What if you forget it?
Therefore you really haven't solved the problem.
For what's it worth I don't believe in security questions and agree that they can be inferred by a reasonably motivated person with rather ease.
There is no silver bullet, but it is probably way less risky to just allow password reset by confirmation codes to cell phones.
[+] [-] Cushman|13 years ago|reply
"Hi, I need to make a change to my account."
"All right, ma'am, I'll have you just answer this security question first: What is the make of your first car?"
sigh "So, look, this is going to sound really stupid, but for these questions I always use random words, and I lost the paper where I wrote them down... I'm really sorry, I just don't remember what they are. It's not a real car make, if that helps, it's just some random nonsense words."
"Uh, let me just talk to my supervisor." [hold] "What can I help you with today?"
[+] [-] btilly|13 years ago|reply
If multiple sites use the same security question, they will contain the same answer. Therefore if one site has been compromised, someone could use it to login as you at another site.
To fix that you need to add the site itself to the data to hash.
[+] [-] phase_9|13 years ago|reply
Just store your "random" Security Question answers alongside the login credentials - they'll be encrypted safely.
--
[1] http://www.keepass.info/
[2] http://www.keepassx.org/
[+] [-] icebraining|13 years ago|reply
Keepass, on the other hand, is useless unless you have the database file with you.
[+] [-] rmc|13 years ago|reply
[+] [-] roel_v|13 years ago|reply
Password management is not a technical problem. All these 'solutions' to passwords being 'insecure' massively miss the point - which is that people just forget things, especially when they need to remember dozens or hundreds of them. Use a password manager and get rid of these nonsensical hacks.
[+] [-] engtech|13 years ago|reply
This is used for the few times where I have to do password recovery / phone support, I just grab the book.
For normal password usage I use automated hashing system in Firefox.
[+] [-] pavel_lishin|13 years ago|reply
[+] [-] rogerbinns|13 years ago|reply
Instead of paper I do use a password program, and ensure that the encrypted data files are replicated to several different places.
[+] [-] corin_|13 years ago|reply
[+] [-] pavel_lishin|13 years ago|reply
(One potential downside is having to tell an operator that your car was a "trichroic somatopsychic", which would just take extra time to spell out, unless they see the answer in plaintext.)
[+] [-] dangoldin|13 years ago|reply
A workaround may be to just simplify the phrase to "first car" and use that.
[+] [-] wulczer|13 years ago|reply
[+] [-] alanbyrne|13 years ago|reply
I die a little inside every time some site emails me my own password.
[+] [-] wlesieutre|13 years ago|reply
[+] [-] rmc|13 years ago|reply
If you're in the EU, and are storing personal data, you are legally required to protect it. Think carefully about how you set up your EU based web app.
Example: In Ireland it's probably against the Data Protection Acts to use a date of birth/mother's maiden name as a 'security question' for personal data. (cf. http://www.dataprotection.ie/viewprint.asp?DocID=1212&St... http://www.dataprotection.ie/viewdoc.asp?DocID=1062&m=f )
[+] [-] brianjyee|13 years ago|reply
[+] [-] pavel_lishin|13 years ago|reply
[+] [-] crazygringo|13 years ago|reply
I'm looking at you, Citibank.
[+] [-] chiph|13 years ago|reply
IOW: When designing a scheme like this, the fact that you'll be angry when trying to actually use it at some point in the future becomes an important design constraint.
[+] [-] dohko|13 years ago|reply
[+] [-] jvdongen|13 years ago|reply
I'd a neat (imo) idea for this, though not everyone agreed: http://news.ycombinator.com/item?id=4349116