Asking the right questions
Schneier points me to lightbluetouchpaper, who note a paper analyzing the potential strength of name-based account security questions, even ignoring research-based attacks, and the findings are good:
Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.
Two important take-aways here.
- This is the ceiling on the potential strength of a name-bases authentication system, even ignoring other more vulnerable branches of the attack tree. No matter how you do it, it’s just not going to be secure.
- It’s good to see people questioning the status quo and asking the right questions in security research.
Next, we need better awareness on the part of designers and developers that name-based authentication is Doing It Wrong.
Plus, they provide a kick-ass theoretical justification for their empirical work, AND they have a page with their raw data and scripts use to manipulate it.