A Review of Real World Security Questions & Answers
Talk Abstract: Security questions and answers have become a popular secondary authenticator for online sites. While security professionals have generally dismissed them as a good choice they don't seem to be disappearing. In this talk Bruce shares his analysis of actual user security question and answer choices that were leaked through three different database dumps in the past year. He uses this real world data to demonstrate where security questions seem to have their greatest weaknesses and discusses how to steer implementations towards providing better security. For comparison we will also look at how the statistics from these environments compare to previous academic studies of security questions. This page contains a link to the slides, and soon the paper, associated with my PasswordsCon 13 talk, A Review of Real World Security Questions & Answers. Here is a link to my presentation slides (PDF). Here's the video of my PasswordsCon session:
For those of you who saw an updated version of this talk at SecKC here is a link to those slides (PDF) with some different data in a few places. Here's the video of my SecKc session:
The paper with more details and research findings will be forthcoming in the next few weeks. If you want to leave a related comment or question please do so over on the PasswordResearch.com blog.