Thursday, April 28, 2011

Sony PSN: Compromised security questions...

I am not a fan of security questions. My big criticism is that they turn an innocent fact about you into a shared secret - you now have to remember that the street you lived on in first grade gets you into your webmail account and not blog about that favorite childhood memory.


Now with the recent Sony Playstation Network compromise, it has raised an even bigger problem with (suspected in this case, they aren't sure) compromise of security questions. What do you do if your password questions get compromised at a site?

First, you probably have no idea what answers you even gave. The idea behind these questions is that you remember the answers naturally, so you don't need to write them down. So you probably have no idea now what questions you were asked and what answers got leaked.

Second, even if you did somehow know what answers you gave Sony (perhaps you signed up two weeks ago and you have a great memory), do you remember all the other sites you gave the same answers to? Time to go site to site checking (except, back to my first point, you probably don't remember what answers you are checking for).

Third, let's say you remember all that. These answers about you have been compromised and you can't change them - it's your history! This is a problem shared with biometrics, once your fingerprint gets out, you're stuck with just having nine left. Once a fact about you is known, you just have to know not to use it anymore as a secret.

So, security questions just went from bad to worse in my book.

My suggestion, fill in random strings (I use a random password generator or "slap on the keyboard"). Write your password down in a good password program like Password Safe or KeePass or use the password saving feature on your browser (I suggest setting a master password if you do so). Or if you do forget your password, most sites will still have some way you can get your password reset the old fashioned way through customer support.

Some interesting work on security questions:

And finally xkcd: