The Infinite Idiocy Of The Security Questions
I don't expect that everybody who reads this site will know who Richard Stallman is, but they probably should. "RMS", as he prefers to be called, invented the idea of a "free", which is to say non-licensed, operating system for computers. Stallman's insight was that you don't really own a computer unless you have complete autonomy as to how you use it, and that is only possible with a truly free operating system. (For an example of how a non-free operating system works, try putting a foreign-market DVD into your Windows 10 laptop or Mac OS X system.)
The operating system that he and his associates wrote was meant to be a free replacement for the UNIX operating system, which was the property of Bell Labs, and it was called GNU, a recursive acronym meaning "GNU's Not Unix". The GNU Project never reached its goal of creating c complete UNIX replacement, but when it was combined with the "Linux" operating system kernel written by Linus Torvalds, it became GNU/Linux. Think of the kernel as the engine of a car; a car can't move without it, but you can't drive an engine by itself. You need everything from a frame to a steering wheel to brake pads. Torvalds built the engine; Stallman's crew built the transmission and the wheels and the windows.
As important as GNU/Linux is --- it underpins everything from Amazon to the wireless router in your house --- Stallman's true contribution to computing was the idea of freedom. His approach to computing is utterly socialist, to the point that he refuses to have a password for his accounts. About fifteen years ago, I sat down with RMS for dinner and a discussion in his office at MIT. Never before or since have I had any personal interaction with an intellect as formidable as his. I walked away thinking that Stallman was probably smarter than I was, an impression that I didn't recall ever having before.
The purpose of these opening paragraphs is to make the case that the smartest man in computer science doesn't think we should have passwords. It helps explain why the people on the other side of the argument are often so mind-numbingly stupid.
Until relatively recently, security was the central Florida of computer science, a swampy wasteland mostly populated with bumpkins. The brilliant people worked on operating system kernels, real-time computing, parallel computing, and clustering. Security was always the last department to receive any funding or any attention. Think about it. Which accomplishment would you rather have on your resume: doubling the performance of a new system, or an assertion that nobody hacked a particular system while you were responsible for its security?
As a consequence, if there were any truly bright bulbs in the security game, they were on the other side of the equation, in the "black hat" world. You could earn $80,000 a year working at JP Morgan Chase in the security department; you could make millions of dollars in an afternoon if you could break the bank, so to speak. There's also the minor fact that pretty much every major government in the world has an obvious and pervasive interest in being able to decrypt communications and snoop on network traffic.
The NSA, as an example, has multiple Cray systems in Utah, each with over one million processors, basically devoted to breaking encryption and privacy schemes. Don't be fooled by the recent brouhaha over the San Bernardino shooter's iPhone; if it was a matter of true national interest, rather than an example of militant Islam that is profoundly inconvenient to the powers that be during an election year, that phone would have been unlocked and examined within minutes after recovery.
For all the reasons above, and many others, it's a very good idea to assume that you have no security whatsoever when you operate a computer. Assume that every email you've ever written is in the custody of a collating agency of some type. Assume that your Chinese-made laptop will respond to remote commands from its maker, from Microsoft, or from the Chinese government. Assume that your phone listens to you all the time, because it can. Assume that your Amazon Alexa or Tap device listens for keywords and sends them to Amazon. Don't expect security or privacy on the Internet. It doesn't exist, unless you are willing to use the equivalent of a "one-time-pad" on every communication. Even then, I'd be very careful about betting that your one-time-pad is so random that the NSA's million-processor Cray can't calculate it. Computers can't actually create random numbers, you know... or maybe you didn't, but I'm going to fill you in on that.
When you log into your "secure" bank website, you're relying on the all of the following things to be secure:
* Your physical location. If I can see you, I can see what you're typing. If I can hear you type for fifteen minutes, I can remotely "see" what you've typed. * Your computer hardware. It was made in China by a partner of the Chinese government. It contains millions of transistors and ten million lines of BIOS code. Have you reviewed all of them? * Your operating system. Was it created by a corporation? Have you seen the source code? Do you know what it actually does? * Your browser. Has it been compromised? (The answer, 99% of the time, is yes.) * The HTTPS protocol and its underlying encryption itself. LOL. * Between five and fifty routers on the Internet. All of which were made by companies that have multiple partnerships with each other and with various governments, and many of which route a copy of your data to the NSA for investigation. * The physical hardware of the bank server. * The operating system of the bank server. * The webserver of the bank server. Webservers are hacked more often than any other commonly used program. * The in-house software at the bank, which more often than not is written by foreign nationals whose allegiance is to India or China and who are usually controlled very closely by "body shops" like Wipro or Accenture. * The various mainframe facilities that supply the bank website with information. This is the most secure step in the whole process, by far. But it's not perfect.
You're a fool if you think that the mess of spaghetti listed above is truly "secure" in any way. I haven't even begun to discuss quantum computing, which will essentially end encryption as we know it. A sufficiently complex quantum computer could instantly break anything short of a truly random one-time pad. True security, therefore, only comes from human interaction. From what they call "sanity checks". Did Bob really just reach out from Russia and empty out his savings to a numbered account in the Cayman Islands? Probably not.
What I want you to understand, therefore, is that everything you see on the Internet related to security is merely security theater. It's about as effective as the TSA. Which is to say that your idiot neighbor probably won't be able to figure out how to login to your bank account, the same way you can't run through the airport security line waving an AK-47 and expect to be permitted to board. It primarily protects you from the random malice of extremely stupid people.
Or it would, if it wasn't for the superbly moronic institution of the "security question". Let's get this part out of the way: there is no reason for the security question to exist. Not the way it's implemented at most website. A security question, when used properly, can be helpful. PEER1 and Rackspace, as an example, use security questions to authenticate requests for phone support. The security question, in those cases, is one that you provide. As an example, your Rackspace security question could be, "What's the pinkest brown?" and the answer could be "867-5309". It's a true shared secret. Of course, it's stored on the Rackspace systems, which means its vulnerable. But as a good way to authenticate a voice on the phone that's asking you to reboot a server or add a credential, it's not bad.
The typical security question implementation, however, is not anything like that. Let's use the one at the OhioHealth PatientConnect portal as an example of how not to do it. Any time you have a bill at the OhioHealth hospitals, they add it to your existing account and you have to use this system to pay it. Naturally, you have to use you existing username and password. So, as an example, when I broke my leg and had to pay the bill, I had to use the username and password that I set up back in 2012.
There's no way I'll remember that. So I ask for a reset link, which takes me to security questions. Now, I don't remember how I set up my security questions back in 2012, but it can really only be one of two ways:
0. I gave honest and correct answers to the security questions. In which case, anybody who has ten minutes to research on the Internet can get that information and pretend to be me. Where was I born? It's on Wikipedia. My mother's maiden name? Easy to figure out. The name of my first pet? I don't actually remember.
1. I made things up that aren't the right answers at all, to prevent somebody from gaining access to my account. If I did that, then what I've done is to create three extra passwords for my account that never change or expire and which have to be stored somewhere. Of course, none of those passwords meet the various ridiculous standards that don't help anyway.
There's also a third possibility, which is that I put "fuckyou" as the answer to a security question. But since OhioHealth's system won't let you give the same answer to all three questions, it was probably
fuckohiohealth Fuckohiohealth FUckohiohealth
But which was which?
In the end, there's only one thing to do: call and wait on hold for 38 minutes until I can get a person from India on the phone. He will ask me the security questions. I will tell him that I don't know. This will confuse and upset him. How can I not remember the name of the street on which I grew up? "Because I lived twelve different places before I graduated from high school," I'll snap at him, because now we're heading towards the 45-minute mark. Finally he'll reset my account. I'll choose three fake new answers to my security question and put them in a cloud account where any bored sysadmin with time on his hands can grab them and decrypt 'em with commonly available tools.
All of this, mind you, is so I can log in and pay my overblown post-Obamacare health bills, which have averaged over $7000 out of pocket every year since the ACA went into effect. Is it any wonder that a significant number of people just don't bother? If the process is frustrating to a reasonably experienced computing scientist with a Prometheus-Society-level-IQ and the ability to sit on hold for 38 minutes, what's it like for a working single mother who cleans houses for a living and parents three kids in a townhouse?
The answer, of course, is that it's less frustrating, probably. Because our imaginary 110-IQ single mom just answers the questions honestly. For OhioHealth. For Amazon. For Huntington Bank. For shopping sites. Her password is her first child's name, capitalized with a number and an exclamation point: Brittanee1!. So she truly has no security whatsoever. The system is even more broken for her than it is for me. Her only saving grace is that she has nothing worth taking.
If she was permitted to follow Richard Stallman's advice and use a blank password, she'd probably be more security. Because then society would have to adjust its ideas around "identity theft" and the like to acknowledge that the only true way to know that somebody is who they say they are is to put that person in front of somebody who knows them. Just you watch. We're headed back that way. Maybe not immediately. In twenty years, however, the idea of using a password and a security question to access your bank account will be as old-fashioned as the Frank Abagnale days when you could print your own checks and get money for them at a teller's window. We're just going to have to break a lot of eggs to make that omelet. And mark my words, dear readers: some of those eggs will belong to you, and to me. But not to Richard Stallman. He got a MacArthur grant, and something tells me he took it in cash.