14 May 2009

Personal Security: the Secret Question and Answer

In this session, we'll explore some parts of infosec which should be taught in primary school.

We're all too smart to use the same password on multiple sites, right?

While most people, I included, cannot say "yes" to the first question (at least not for everything), that alone is not enough. This is because no matter how secure your password is, be it 20 letters long with various dingbats and ?? characters, there is a weak link in this system. Or rather, two:

Your email is an obvious vulnerability: if someone was able to gain access to that, it would be trivial to reset your password for Facebook, YouTube, Meebo, etc.

What if you have a strong email password, you ask? In that case, we get on to the heart of the matter (which is also the most relevant to all those social networking users out there): secret questions.

Secret Q&As (SQAs) were initially a good idea: provide an alternative in case one has lost access to one's email, or never set one in the first place. (as with Gmail or Yahoo) It presents an interesting problem, however: while the average netizine is unlikely to know the mother's maiden name of dogggzlover98382374@hotmail.com, if even your name can be figured from your email address (or the attacker knows you personally), it is trivial to use sites such as Facebook and MySpace to find the answers to SQAs. A rather public example of this vulnerability can be seen when Sarah Palin's email account was broken into last summer: all of the information needed could be found out using public records.

An example of a possible attack against Facebook in particular:

  • Gain access to someone's profile by either friend-requesting outright them or by masquerading as someone they know (and don't already despise)

  • Look for an email address on the profile or in wall posts.

  • Visit their email provider and reset their email password via the information in their profile.

  • Now reset their Facebook password. This will send an email to their address, which you already have access to.


This works against any site that uses a email-loop, even if it is well designed to avoid common SQAs. Social networking sites, however, are particularly vulnerable because of the wealth of personal information one shares freely on them.

This is because, as they are part of your personal history and not transactional, SQAs are almost always the same between sites. So, if you're truly concerned about your information security: use something random for your SQAs and store them in a safe place.