Challenge not accepted

“When you assume, you make an ass of u and me”. We can’t live without making some assumptions, but in some areas it’s especially important to verify things. Like in computer security, where the safest assumption you can make is that everything you know is wrong. Consider the case of airline systems that assume the suffix “mr” means “mister” and can be cut from the name, which is a problem for people named “Amr”. Or the assumption that “null” means “no data”, which causes no end of trouble for Christopher Null. Did you know that Norway's ISO country code “NO” can be interpreted by YAML parsers as FALSE? Such flaws or misunderstandings are the result of wrong assumptions, and can easily lead to security vulnerabilities, as well as less dangerous bugs.

Some web sites ask users to enter answers to certain personal questions, as a way to help correctly identify them in case they forget their password, for example. These “challenge questions” can be things like the name of a pet you had, your favorite food/ book/ movie, and (stereotypically) your mother’s maiden name. They are notoriously insecure, if you answer them as intended. The well-known author and futurist Cory Doctorow wrote that they don’t work:

Many of us invent false answers to make them harder for others to discover or guess, but this generally doesn’t work as well as we think:

So, the “cleverest” of us use a password generator to make long random strings in place of actual answers to these challenge questions, and use a password manager to remember them for us. That makes it impossible for others to guess them, right?

But what if the web site, when asking these questions, helpfully presents them as a multiple-choice list?

So, by being “clever”, Doctorow made it completely straightforward for an attacker to guess the right answer and possibly take over the account. This is entirely the fault of the web site. They made the bad assumption that users answer these questions in common ways. It would have failed in much the same way if the site had asked about a pet name, expecting common English pet names like Boots, Fido, Felix, Rex... and along comes someone who truthfully answers 猫ちゃん. 

So: Don’t use challenge questions, they are inherently insecure. But if you do, at least don’t give people suggestions to choose from when answering! As always, please remember our guidelines for safely reporting security issues in Ibexa products, and do the same for other vendors. Until next time, stay safe!

Insights and News