I previously ranted about strange password restrictions that disallow usage of special characters such as spaces or alphanumerics. This time I want to complain about another boneheaded security feature out there – word length restrictions on your “secret” password recovery question. I was recently creating a Microsoft Live Passport account to register Visual Studio Express 2008 copy. Yeah, laugh all you want but PerfMonG is written in C# and it won’t maintain itself no matter how hard I try to ignore it. At some point during registration I saw this:
Don’t get me wrong. I’m all for keeping things more secure, but restricting the secret answer to strings of more than 5 characters is a bit silly. For starters, let’s consider pet names. I don’t know about you, but I find that most of them are relatively short. For example I did a quick google search of most popular dog names and I stumbled upon this ranking:
It turns out that half of the top 10 most popular dog names are shorter than 5 characters. If you look down that list, this trend continues. So roughly half the people won’t be able to use their pet name as their secret question, or will have to figure out a way to make it longer (for example by adding their last name) by simply adding confusion. Same goes for the childhood friend option. You may remember that your best buddy from the playground was named Bob, but will you always remember his last name was Szczebrzeszyński? Will you remember how you spell it? Hell, if on top of all this the place of your birth is Ido, Japan then you are totally fucked.
Now you are forced to make up answers – ones that you won’t remember 3 years from now when you need to recover your password making them absolutely useless. This minimum length limit is silly, because these hints are not really designed to be secure. Anyone can find out the name of my first pet, or the birthplace of my mother. It’s really not a secret, and it can easily come up in a casual conversation. The whole point of them is to provide another layer of protection for your account so that the attacker has to have both the secret answer, and access to the email account you used to open the service. Brute forcing the secret answer should not be a concern, because they’d be incredibly vulnerable to dictionary attacks anyway.
So why won’t you let us to use answers that are as short, or as long as we like or stop using them altogether. Otherwise it is just counter productive as people won’t be able to remember what they typed in to pad their answers to meet your arbitrary minimum length limit.
[tags]minimum lenght limit, secret answer, secret question, password recovery[/tags]