4

So the original security model was to ask the user for an email address, at time of account creation, and if they forgot their password the system would email a new password to this email address.

The idea now, however, seems to be to use security questions more. So if I forget my password, the website asks me "What is your pet's name?", I type in "chuck" and then the website prompts me to provide a new password and lets me in.

The security questions model seems much less secure to me, as a dictionary attack could be more effective against it.

Why are we "ok" with security questions, as this seems to bypass our requirement for secure passwords?

AndrolGenhald
  • 15,506
  • 5
  • 45
  • 50
user7560542
  • 141
  • 2
  • 1
    Have you taken a look at the [secret-questions tag](https://security.stackexchange.com/questions/tagged/secret-questions)? – AndrolGenhald Sep 28 '18 at 15:35
  • 2
    Your question is predicated on a very specific model of account recovery becoming **more prevalent** than a another specific model of account recovery. My experience is that this not the case - and I'm not aware of any published data to support this. Indeed, my experience is that the 2 methods are commonly combined to give the advantages of both mechanisms. A further predicate of your question ("are we ok...") is that there is some arbitrary and universal level of security which is appropriate for all applications - which is simply not the case. – symcbean Sep 28 '18 at 15:36
  • The OWASP article about security questions is relevant here: https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet#Using_Security_Questions – Conor Mancone Sep 28 '18 at 16:32
  • 1
    I am a little skeptical that OP has found a site of any importance that requires only a security question and nothing else to reset a password. A security question is almost always combined with some other factor. – John Wu Sep 29 '18 at 03:14

3 Answers3

1

Email password reset is not particularly secure either, since it means that if you manage to compromise someone’s email account you can take over all of their other online accounts. At least with well-chosen security questions (which would not include a pet’s name) they are unlikely to be used by the user on another website, so that a compromise is restricted to that one account. The truth is that security is a trade-off with convenience, and there’s no way to authenticate users that is both reasonably secure and reasonably convenient, so you have to decide which is more important.

Mike Scott
  • 10,134
  • 1
  • 28
  • 35
  • 2
    I wouldnt downvote the answer, but this is no longer true. There exist 2-FA security, which is both **reasonably secure and reasonable convenient**. – T.Todua Jan 06 '20 at 12:04
0

Both the methods have pros and cons in terms of security and the probability of breach.

The best way could be to use it in combination, when you reset password you will be prompted for a security question as well as an email address.

Sayan
  • 2,033
  • 1
  • 11
  • 21
0

Both of these models have flaws, the e-mail one definitely the most.

You talk about sending the user a new password via e-mail, e-mail is plain-text and not encrypted so can be sniffed over networks plus what's stopping someone hijacking that user's e-mail account? How are you generating that secure password to send them? I hope it's a CSPRNG.

Are you forcing the user to change that password after they log back in? Otherwise that's another... You'd practically be using e-mail as false "secure" storage. Future e-mail compromises means their account is also compromised.

Security questions on the other hand vary, there are some really bad questions which should never be asked but there are some good ones too that are "quite" solid. Not to mention - these forms should be rate-limited to prevent the brute-force you mentioned.

I.e. "What is your pet’s name?" vs "What is the last name of the teacher who gave you your first failing grade?"

See: http://goodsecurityquestions.com/examples/