Double Entry Passwords

Also see the articles Choosing Good Passwords, Password for Internet cafes and the Password Maker

Over the past year or so I've noticed a huge increase in the use of answers to "secret questions" used as a secondary means to access data, services or information protected by a password or passphrase (this used to be just used on the web but now I'm beginning to see applications that use it too).  You've probably seen this yourself, you're asked for a username and a password, and the password usually has to be six or more characters, preferably upper and lower case mixture with a number or a symbol thrown in for good measure.  Nice and robust against all but the determined brute-force attack.  If you want greater security, you can make the password eight or more characters long.

Note:  I'm using the word "password" here because that's the word commonly in use but a word is the last thing you should use.  Ideally you want to make it random but there is middle ground here that's easier to remember.  I've written a lot on this site about passwords and if you want more guidance, I recommend that you read up.

So, you choose your username (or use your email address as so many places want you to do - kill two birds with one stone - get you signed up and get your email address) and then you choose a good password.  Then you're asked to enter the answer to a "secret question".  Sometimes you can make up your own question, sometimes you can choose from a list but sometimes you are stuck with the single default - usually "What is your mother's maiden name?" or "What is your favorite color?" or "What was the name of your first pet?".  The idea behind this "second level of security" (which is what it is usually billed as) is that if you lose or forget your password then this second password can be used as a backup means of entry.  


You sign up with an online retailer called "MegaBucks", one of the largest online retailer of widgets in the world.  During the signup process you are asked to enter a password to protect your account.  A username isn't needed because they use your email address.  So you pick a nice and random password to go with your email address.

OK, so far, so good.  The password is something that is known only to you and since it isn't a word or phrase but is instead random it can be considered as offering pretty good security.  Not 100% (few things are) but close enough.  Chances are that rather than try to attack and compromise a individual user's account a hacker would instead go after the system itself looking for a crack or chink in the armor to try to exploit.

But what happens next?  The system asks you for a "backup password" in case you forget the first one.  

These can vary in type from the plain stupid (we'll come to why in a moment):

This next one is a little better because it gives you choices of question via a drop-down box:

And this is better still:

OK, why do I say that this kind of system is insecure?  Well, stop and think about it for a moment - you are using a password to protect whatever assets lie behind it and you've chosen a good one.  A good password is one that someone else couldn't guess and if they try randomly they will be trying for a very long time.  That's the idea.  However, the chink in the armor protecting the assets here is the "secret question" system used as a secondary password.  Here's why ...

Carrying a brute-force attack on a six or eight plus character password will take a lot of time because the hacker has no real starting point (they would more than likely choose a dictionary attack first, where they use a tool to try all words in the dictionary.  This is why you shouldn't use words out of a dictionary as a password.  If this failed the determined hacker would try an attack based on variable case words from the dictionary (trying all variations, such as password, PassWord and PASSWORD) and also trying multiple words from the dictionary.  This would take a lot of time because the hacker has no starting point.  Remember that your username offers very little security - if "MegaBucks" is big enough and popular enough it might be worthwhile a hacker using known email addresses sources from a spam list as a starting point.

However, if there is a facility that allows entry based on a "secret question" then this small chink could be exploited.  It gives the hacker a place to start.  Names, colors, places - these are all knows and while there might be thousands or hundreds of thousands of names, you can be sure that just like dictionary files used by hackers, names, places and color files also exist.

Also, think about it - how many people might know your mother's maiden name?  Your favorite color?  The name of your first pet?  You might even find that the answers to these questions already exist in other databases holding information about you.  Also, think about how often you might be asked these questions and where the information might be stored.  If you, for example, always use your mother's maiden name as the "secret question", how many places have you entered this information?  How secure is it?  How easily could you be "socially engineered" by a fake email, fake website or fake phone call to disclose this information?

But why do companies use this kind of system as a backup in case the user loses their main password if they know it's a chink in the armor?  

Bottom line - cost and keeping their customers.

If you wanted to log on to the "MegaBucks" online store (or online bank for that matter) and found that you'd forgotten your good password?  You'd have a few options:

  • Abandon what you were trying to do
  • Go somewhere else to make a purchase
  • Sign up again as a new user
  • Get in touch with the company and get them to reset your password

The main things that the company really don't want you to do is to go somewhere else - not only have they lost a sale, they've potentially lost a customer to a competitor, especially for something as trivial as password loss.  So what better scheme than a proper password and a password based on a prompt that they are unlikely to forget which either lets them in, let's them reset their password or lets them enter a new password.  Who knows, maybe some of their customers are only customers because they forgot their passwords elsewhere?!

Believe it or not, there is something else that companies don't want you to do - that's contact them for support.  Support, no matter how trivial, costs money, not to mention all that nasty security business of having to make sure that the person on the other end of the phone really is who they say they are.  Far better, easier and cheaper to put a system in place that allows self-service, and if the customer happens to have a mother who had a common maiden name or they like the color red or had a dog called Spot, then that's their problem.  If you have kids then do them a favor and make sure that they name their first pet Br$w2sZ0.

So what can you do?  Well, the reason that these systems are in place is because people do lose their passwords.  Don't lose passwords!  Get a program like PasswordSafe (available for free download from and store them in there.  Keep a copy of the password file on a floppy disc, CD or USB flash drive (preferably more than one copy in different places) and keep the copies up to date.

Another thing that you can do is when faced with a "secret question" screen is to enter either random rubbish as the answer or a different password and store this with the main password (don't use your main password as you can't be sure that this will be stored in encrypted form - many companies use this for phone verification, which means they they can read it!).  By hardening the response to the secret question you are overcoming the chink in the armor - for yourself at least!  If you don't lose your password in the first place, then the whole "secret question" thing becomes a moot point. 

Remember - the main person in charge of protecting your assets is you!  Don't accept a weakened system just because other people can't properly organize their passwords!

Adrian Kingsley-Hughes
Last updated: March 11th 2005
Print This Page   |   Email me when this page changes    |  Search This Site System Scanner does the work for you!

Contact Us