Secret Questions, and why they're a problem

Mar 17, 2009 13:24

[this is a public post]

I'm seeing a lot of misinformation going around LJ regarding the security of LiveJournal accounts, so I want to take this opportunity to correct these.

Myth: Setting a secret question will make your account more secure.

This is false. Secret questions are not intended to make your account more secure; they're intended to give you, the owner, an additional means of getting access to your account in case you forget your password and no longer have access to either your current email or any previously validated email address on your account. Because of this, setting a secret question actually makes your account less secure, by design.

The way secret questions work is that if someone goes to the Lost Information page, LJ will send a password reset email to either the current email on your account, or an email address that was previously validated on the account if you specify one. It will not send email to any other destination, for security. This email does not require the use of a secret question if one is set, so if anyone has access to one of these email addresses, they do not need to know the answer to your secret question to hijack your account.

Once the email has been sent, if the account is not logged into for 5 days, the attacker can return to the Lost Information page, enter the username again, and this time they will be asked for the answer to their secret question. Once this answer is given, the password can be reset.

Thus, if you use a secret question to which the answer is easy to find out (even from, for example, the posts on your journal itself), and do not regularly log in to your account (or even just go on vacation for a week with no Internet access), your account is subject to hijacking. For this reason, any secret question set should not have an answer that is easy to figure out. The best answer to a secret question is one which has absolutely nothing to do with the question.

Please note that logging in means just that - logging in from the login page. Simply using the site does not count as logging in for the purposes of the secret question, so if you get a password reset request you didn't make, you should log out and then back in again to cancel the request.

It should also be noted that the Lost Information request can be sent to any previously validated address on your account, not just to the current address. Therefore, if you set a secret question, you must check your previously-validated addresses regularly in case a hijacker sends a Lost Information request to one of them. (Although if you log into your account within those 5 days, even if by accident, you would cancel the request.) This could be a problem if you are on vacation with only email access, as you could be at risk if you have previously-validated addresses on your account and a secret question set.

Alternatively, you can delete your previously validated addresses - and I'll talk more about that in a moment.

However, the best account security can be achieved by not having a secret question at all, and if you use an email address provided by a free email service online that recycles old usernames, this is the best course of action to take. (examples of these include Hotmail and Yahoo, I believe.) If you already have a secret question, don't worry - you can delete your secret question by simply going to the Secret Question page, entering your password, and clicking the Delete button.

Myth: Setting a secret question can protect you in case your account is hijacked.

This is also false. The owner of an account (read: anybody who has access to the account and who knows the account password) can change or delete the secret question at any time, and even if this wasn't the case, there is still the built-in 5-day waiting period during which the hijacker can simply log in to stop you from getting to use the secret question. As stated above, the point of the secret question is to allow an extra avenue into your account in case it's needed, not to provide extra security.

Myth: Deleting addresses that are previously validated will always increase your account security.

This is only sometimes true. A hijacker will be able to send the Lost Information request to any previously validated address on your account simply by specifying the old email address. In normal circumstances, this doesn't matter since the hijacker would not have control over the address. However, if you have set a secret question, you are still vulnerable to a secret question hijack if you do not check your previously-validated addresses, even if you control the address in question. This is especially true if you do not login regularly. This is true because, as described above, the secret question method will become usable 5 days after it has sent the email, and is cancelled by any login to the account. If you do not see the email that's sent because it's sent to an address you don't check, it's possible that you might not log in in that time.

If you no longer have control over your previously validated addresses, you should always delete them when possible. This will prevent a hijacker from taking over one of these addresses and using it to access your account.

However, if you do not have a secret question set, or you are absolutely sure that the answer to your secret question is secure, then you should only delete those email addresses that are no longer under your control, and no others. The reason for this is that if your account *is* hijacked in some way, these email addresses can be used to help you regain access to your account, and they may be the only such methods of doing so, if the hijacker also took control of your current email account (which is quite possible).

However, with the advent of the ability to delete old email addresses as long as your currently validated one has been in use for more than 6 months, it is possible that an account hijacker could delete your previously validated email addresses quite easily, too. The optimum security, therefore, is gained by having two email addresses that you control and having one of those (a secondary email address) listed as the first validated address on the account. Every 6 months, check whether you can still access this address. If you can, you should delete this address from the 'validated' list, change your LJ email address to that address and validate it, and then after validation switch back to your normal one, which will render the first email address undeletable again. Do not do this unless you have verified that you can still access that address. If you do not have access, you should instead delete that address and find another address to use.

By doing the above, you will ensure that your backup address will never be deletable by account hijackers (and thus will remain usable as a backup address to send Lost Information mails to in case your primary email account is also hijacked) until hopefully a couple of months after the hijack itself, which should give you enough time to regain control of the account and make it secure again.

Feel free to link this post elsewhere; it's public and will remain so.

security, public, livejournal, big posts, psa

Previous post Next post
Up