Blizzard and insecurity questions: My father’s middle name is vR2Ut1VNj
by Jeffrey Goldberg on
By now most people will have heard that email addresses, hashed passwords, and some other data has been stolen from Blizzard’s Battle.net servers, and people are advised to change their passwords there. As unfortunate as this story is, it serves as yet another good reminder of why we very strongly encourage people to not reuse the same password on multiple sites and services.
One thing we don’t know yet is exactly how well hashed the passwords are. From Blizzard’s announcement, we do know that the passwords were salted and hashed, but we don’t know whether it was simple salting (and how big the salt is) or whether they used something like PBKDF2. Their announcement tells us:
We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually
That tells us that the passwords were hashed and salted (see “A salt-free diet is bad for your security” for an explanation of what that all means). So Blizzard has certainly done a far better job in protecting users than, say, LinkedIn, which did not salt at all, but we don’t know exactly how much better. Unless I have misunderstood something, I believe that their use of SRP, while cool and good for some purposes, is not relevant to this particular case.
The Blizzard data theft also includes “the answer to the personal security question”. This is a bigger problem because even people who are careful to not reuse the same password at multiple sites may provide the same answers to “security questions” everywhere.
We’ve all seen – and probably made use of – schemes on websites that will let you reset your password if you can answer a few security questions (I’ll drop the scare quotes from here on out, no matter how poorly I think the name fits what they do). These questions are typically things like your mother’s maiden name or street where you lived when you were 10 years old.
In March 2010 someone going by the handle “Hacker Croll” gained control of President Obama’s and other celebrities’ Twitter accounts by “simply working out the answers to password reminder questions on targets’ e-mail accounts” according to the BBC. It was neither the first nor the last time that so-called security questions have been used to compromise accounts. Quite simply, the information in these questions and answers are not really very secret. Parents’ names, for example, are available on birth certificates (which are a matter of public record in many places) and other information can often be gleaned with a bit of research. In the case of people who’ve written auto-biographies, the information can be all in one place.
The point of security questions is that they are something that the user can remember because they are true things that the user knows; it is exactly that which makes them easy to guess. If my father’s middle name is Walter, then that is what I would normally answer every place that I am asked.
Naturally, the whole problem is solved if you don’t have to remember your security questions and answers yourself—you can just let 1Password do the remembering for you. I’ll get back to that later, but first I’d like to point out a couple of other points (beyond guessability and reuse) about why being careful even with security questions is also so important.
You, for whatever reason, may not wish to let the world know what your father’s middle name is. Yet security questions may ask you to provide exactly the sort of information you would rather not share. Although I may not consider a particular bit of personal information to be sensitive or confidential, you may very legitimately feel otherwise.
Reasonable people can disagree about whether they feel that revealing their father’s middle name is too much information. But I think that we will all agree that “your preferred Internet password” is far too much to ask. Our friends over at 37signals, reporting on what they found when setting up an account on some site.
As you can see, one of the challenge questions is “What is your preferred internet password?” When Roustem pointed this one out to me, I was truly at a loss for words, which is not something that happens very often.
The security questions are never stored more securely than your password for the site, and often they are handled far less securely. As noted above the (unencrypted) answers to Blizzard security questions were stolen. It really isn’t surprising that these things aren’t encrypted or hashed well. Often your security questions and answers are visible to people who work for the organization. Armed with the knowledge that a human may well see the security question and answer, some people have suggested (in the comments) clever (and often profane) texts.
Instead of telling the site the real name of your first pet, use the 1Password’s Strong Password Generator to create a random and unique name for that pet and store that information in the Login entry in 1Password. It may be tempting to use the same random and unique password that you use for the site, but there are a couple of reasons not to do that. I’ve already mentioned the first reason: These security question responses are not stored as securely as passwords; they might appear in email or be given out over the phone. The second reason not to use your site password as your security question answer is that if you change your password for a site, you are likely to forget to update the security question as well. This can leave you with a site security question that you have no record of and no way to remember. (I have learned this from experience.)
1Password does many things automatically for you, but this isn’t one of them, so you will need to help 1Password along to get this information stored properly. There are two things that 1Password will need help with. The first is that the strong password generator only fills password fields, and so can’t automatically fill most security question fields. The second is that you will need to add the security question and answer to a note within your Login.
I’ve spoken with my friends here, and it seems like we all have our own different work flows for handling this. I will step through the way that I do this.
Before we go about getting getting an answer for a security question, we need to make sure that the Login for the site exists within 1Password.. So I will save the new Login from the browser extension, even if I don’t yet have the security question part filled out. Remember that you can save a Login with data you have filled out on a form before you actually submit the form. Just go the the browser extension and click on the “+” button in its upper right corner. (Or on Windows, depending on your browser, use the “Save” button.)
I like to invoke the Strong Password Generator from the 1Password application itself when dealing with security questions. So I open and unlock 1Password Application and go to File > New Item > New Password from the menubar. This will open up the Strong Password Generator. (It is important to launch it this way, because if you use the “generate” button within an item, the Generator will replace an existing password.)
In 1Password for Windows, you can launch the Strong Password Generator through Internet Explorer browser extension. For other browsers, I recommend getting to the Strong Password Generator through the application itself using File > New Item > New Password.
The Strong Password Generator will save the passwords that it creates in the Generated Password Vault, so if you ever need to go hunting for this one there (you shouldn’t have to, but it’s a good to know it’s in there), you should set a useful Title for your Generated password. In my example below I have that as “Security question for example.com”.
In some cases the answers to security questions are meant to be read by humans. For example, it may need to be asked about during a telephone conversation as part of a password recovery process. In these cases, it may be useful to use the Advanced Options in the Generator to select a pronounceable password.
We will need to make sure that the generated password gets copied to the clipboard. You can do this either by clicking on the “Copy” button or making sure that the check box is set by “Copy password to clipboard on completion. Then you can Save this item to your Generated Passwords vault.
Now we need to find and edit the Login for the site to include both the security question and your newly generated random answer.
You can do this either within the browser extension (on the Mac or in the Safari extension on Windows) or within the Application. In the browser extension, just search for the Login, click the little arrow at the right, and then the Edit button.
In my example the Strong Password Generator gave me
vayt-jebs-yaf-g, so I paste that into the notes field in the Login along with the question. After I save the Login, my notes field for the login will say “First pet: vayt-jebs-yaf-g”.
One point I should make here is that I store these in the “notes” within a Login (instead of within custom fields) because notes will be preserved if the Login is updated later in the browser. Form fields will be replaced on such an update.
Now that we have everything squared away within 1Password, we need to make sure that the website asking the security question knows that your pet’s name is
vayt-jebs-yaf-g. So you will need to paste that information into the web page as your answer to the security question.
The principle purpose of security questions is for password recovery. It’s what you are supposed to use if you forget your password. With 1Password you shouldn’t have to worry about forgetting a password for a site because 1Password remembers it for you. However, if you do store security questions and their answers within 1Password, you must take extra care to ensure that you never lose access to your 1Password data. You are storing your passwords and your password recovery secrets in the same (highly secure) basket.
We clearly need to look at how we can make 1Password be more helpful in this process. We’ve been hoping that “security questions” would just go away, but it looks like this practice will be around a a while. As always, we never (well, hardly ever) talk about features until they are delivered, so no promises.
I’d love to hear what other solutions and ideas our users have for handling these. So please join the discussion of this post in our forums.
Updated: 13:30 EDT August 10 to correct instructions for using 1Password for Windows.