Solving the secret question problem

Monday, 29 March 2010

I love to think of unsolvable problems and try to solve them. I dunno why I just enjoy it. One of the most challenging problems is “secret questions”. Everyone sucks at this, I’m looking at you Google. One of the first lines of defence for a unverified account can be a secret question. This is why my dog is called “mi(mqure~sb$ztrcjeoosc*m;wbyowdd@” online.

How to solve it? Well at first I thought of questions like “Which picture do you have in the front room of your house?” but there are problems. Like anyone can visit your house and see the picture or look through your window. The physical aspect of them having to do that though reduces the likelihood of it happening unless they really want your account. Doing this over a few accounts is also less likely because you’d need to visit all their houses.

Or do you? Damn you flickr. People upload pictures of their houses, this is bad using as part of a secret question because you can clearly piece the information together if available. Bruteforcing is hard though because your automated program would need to understand the question. Unless the attacker builds an automated program that gathers the accounts and questions in various frames and can picture the correct answer. Oh dear this is harder than it sounds. What if you decide to bin the picture? Not good so I thought of something else.

Open your hands and look at them. Can you see the ridges between your fingers? You carry this data with you all the time, it’s hard for someone to obtain without taking a detailed picture of your hands. We can use this data! Example instead of a question “What is your favourite cats name?” the better questions would be series of:-

“Please tell me How many ridges there are on your first finger left hand?
“Please tell me How many ridges there are on your fourth finger right hand?
“Please count the number of large ridges on your palm right hand”

You would require more then one question at a time and the you’d have to be careful about the questions chosen. I thought of ridges because they would be pretty different for each person and they wouldn’t mind disclosing the information.

The entry 'Solving the secret question problem' was posted on March 29th, 2010 at 4:05 pm and is filed under articles, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

7 Responses to “Solving the secret question problem”

  1. Brian writes:
    No. 1 — March 29th, 2010 at 5:45 pm

    The problem with your solution is accessibility. I have healthy eyes and would have a difficult time providing you repeatable results for the ridge questions. Now imagine your grandmother trying to provide the same answers or even a blind person.

    Your service would be limited to those who kept magnifying glasses near their computers or who are good at remembering fake data.

  2. qqqqqqq writes:
    No. 2 — March 29th, 2010 at 6:37 pm

    IMHO this is the worst idea I have ever seen. It could help, if you have used all your fingers and each would mean one letter, digit or character of alphabet (=7bits of information on every finger). When you only count the ridges, I can bruteforce the answer easily.

  3. qqqqqqq writes:
    No. 3 — March 29th, 2010 at 6:52 pm

    In addition ridge count statistics for my country are freely accessible, so I can answer is such manner that I will pass in 95% after first 5 tries and (at least in my country) and after 40 tries, I am surely there (less than CAPTCHA can protect).

  4. Gareth Heyes writes:
    No. 4 — March 29th, 2010 at 9:38 pm

    @Brian

    Yeah valid point, that why this problem is unsolvable but at least I had a go 🙂

    @qqqqqqq

    When I posted this I had the same thoughts but if you combine a secret question with the ridges idea then maybe it would be a little better.

  5. Smack writes:
    No. 5 — March 30th, 2010 at 2:13 pm

    The number of ridges isn’t an awesome idea. By knowing the question you know that the answer is going to be numeric, probably between one and 100, say.

    Similar to my advice to building a strong password, I suggest using things that you can look up easily if you forget, but others can’t.

    For instance: What’s the serial number of your cellphone (usually under the battery)?

  6. Gareth Heyes writes:
    No. 6 — March 30th, 2010 at 2:40 pm

    @Smack

    Yeah not sure if this is a good idea now that I’ve had time to think about it. Combining it with a question might be slightly better.

    The mobile phone idea is pretty cool but maybe combining it with a answer to a secret question to produce a hash. e.g. What’s your favourite pet? AND What’s the serial number of your cellphone (usually under the battery)? Some client side javascript produces a hash which is compared to the server 🙂 actually that’s pretty awesome!

  7. Carson Brown writes:
    No. 7 — March 31st, 2010 at 6:43 pm

    I like where this is going.

    I FINGER that it would be rather hard for a user to PRINT their answer for such questions due to having to carry around the little magnifying glass to READER the ridges.

    Oh, wait, there’s one of those on my laptop. 🙂

«
»