John Muir Health

I visited the doctor yesterday, and was told that they have a new online portal to use to interact with them, including retrieving test results and the like. I was encouraged by the enrollment process: they gave me a form with a 15-character activation code to establish my account. This was significantly better than similar systems I have been asked to enroll at in the past.

After entering my enrollment code, birth date, and postal code, I was able to create an account. But imagine my disappointment when I reached the requirement to provide the answer to a “security” question. Here were the choices:

Screen Shot 2019-04-11 at 5.25.15 PM

The answer to many of these questions is readily available (high school graduation date and mascot and undergraduate college, for example). For many people, whose wedding pictures are on Facebook, the location of their wedding reception is not a very well kept secret. And how much entropy would many of these questions (such as musical genre) have?

As is often the case, I don’t have a clue about how these questions/answers will be used: to reset a password, or will additional evidence be required for that? So, as usual, I gave a non-answer to one of the questions and continued.

The final disappointment was that there seems to be no option for two-factor authentication. Health data is often among the most sensitive data about a person, and there’s no excuse for a standard health portal not to have two-factor authentication at least as an option.

By the way, since I will never be using this as a security answer, my high school “mascot” is the Mountaineer.


Transport for London

Having recently returned from a trip to London, I thought it might be nice to register my “Oyster” card (the contactless card one can use on the London Tube, buses, etc.). That way I could potentially look at my balance and perhaps top up my card before my next trip.

The process for registering an Oyster card is complex. After asking for your card number, they want to confirm a recent trip you made with the card (presumably to prevent someone from registering a card they find somewhere). Fortunately, I was able to remember what station I started my last trip at, and passed that step.

Next they ask you to create a card security question and answer:

Screen Shot 2018-04-06 at 10.27.43 AM

As has been frequently discussed, one’s mother’s maiden name is often readily obtainable, so this is a poor choice. That leaves a memorable date or place. These hardly seem specific enough — would I pick my birth date/place, wedding date/place, child’s birth date/place, or something else? This is not likely to be helpful in some later telephone conversation. It might as well just ask me to pick a password.

So having picked a nonsensical “memorable place”, the now ask for “Your details”, which includes name, address, telephone number, etc. It also has you choose a password (weak requirements here, only 6 characters with composition rules) and a six-digit security passcode for when you call their customer service (wasn’t that what the security question was for?). And then — another security question!

Screen Shot 2018-04-06 at 10.31.56 AM

Again, poor choices — either readily discoverable answers if truthful (childhood nickname, location of first birthday, town of first job, name of first pet) or few likely choices (type of TV show: comedy, drama, action, …?)

It’s not at all clear what the relationship of this security question is to the one asked earlier. Presumably if I called their customer service I’d just have to answer whatever question they ask.

So again having made a creative answer to one of the questions, I tried to create an account. It turns out that you have to have a UK postal code to register your card; my California ZIP code won’t do. It would have saved me a lot of time if I knew that up front.

United Mileage Plus

Yesterday, Yan Zhu (@bcrypt) pointed out on Twitter that United Airlines Mileage Plus program has started collecting answers to security questions. They have a new twist: you must select one of a menu of answers.

United wants the answers to five questions, chosen from a list:


These are somewhat creative questions, which is good because they’re less likely to be shared with other sites that could be compromised. But what’s also interesting is that one of the questions Yan tweeted about, “What is your favorite pizza topping?” does not appear here. Perhaps United is presenting different question choices to different people, or perhaps they agreed that mashed potato was too strange a choice to have.

What really stands out about United is doing here is that the answers, rather than being typed by the user, must be chosen from a list. As I pointed out in an earlier post analyzing the security answers in the Ashley Madison database, there is a lot of variation in the way these questions are answered, and it’s not possible to store the answers as a salted hash (as one should for passwords, which is what these really are) and allow a fuzzy match.  For example, someone who went to Central High School might enter “central”, “Central”, “Central HS”, etc., or they might spell the answer wrong entirely. Choosing an answer from a list instead removes that problem.

But what other problems are introduced? The most obvious is that the number of choices (and therefore the amount of entropy, or randomness, in the answer) is limited. Here is the number of choices offered for each of the questions:

  • Favorite vacation type: 17
  • Best friend’s birthday month: 12
  • Favorite sport: 54
  • Favorite ice cream flavor: 44
  • Month met spouse/SO: 12
  • What you wanted to be: 91
  • First car: 116
  • Favorite sea creature: 38

and so forth. In the best case (if the answers are equally likely), the probability of guessing the right answer is 1/N. But these answers are far from equally likely: there are going to be many more people whose first car was a Chevrolet than a Tesla. And, as with many security questions, that assumes that the answers aren’t obtainable elsewhere, such as social media. It’s far more likely that someone who has posted a picture of their pet greyhound on Facebook is going to cite that as their favorite dog breed than, say, a Treeing Walker Coonhound.

Many of these questions don’t evoke obvious answers for me. Favorite artist? I like many. Favorite flavor of ice cream? Depends on what mood I’m in.

The use of specified answers also keeps users from supplying nonsense answers to the questions, which can be considerably more secure than direct answers to the questions.

In conclusion, United seems to have traded one problem (imprecise answers to security questions) for some others (low entropy, low memorability of the correct answer). United is giving us 30 days to complete the security questions (and change our password, by the way) before this becomes mandatory. Let’s hope there is enough of an outcry to convince them that this is an ineffective technique that potentially degrades, rather than improves, security.UnitedSecQ



Cisco Online Benefits Management

Cisco Systems, my former employer, has an external-facing website* to allow employees, and others like me that still receive benefits (e.g., insurance) from them, to manage their benefits online. I recently discovered that I didn’t have a username/password for their site, so I requested and received a temporary password via postal mail to establish my online account.

After finding out, by calling their telephone support line, that the temporary username to go with that password is my social security number, I logged in and, as expected, was told that I needed to change by username and password on the site.

I chose and entered a new username and password (twice each) and entered my temporary username and password to authenticate the change. Uncharacteristically, I hadn’t read the fine print, which included:

Screen Shot 2015-12-03 at 4.38.15 PM

Apparently they are treating the user ID as somewhat secret, rather than just as an identifier. On the third try, my username change was accepted. But all this time, I was entering my old and new passwords, and as soon as the username was accepted, I got the following message:

Screen Shot 2015-12-03 at 4.40.11 PM

Six to nine characters, in this day and age? Eight is a more acceptable minimum, and it’s not clear why there should be a maximum at all. So I shortened my password to nine characters:

Screen Shot 2015-12-03 at 4.42.24 PM

Only six to nine characters, AND no special characters allowed? Why didn’t they tell me that before? Maybe I should have chosen a more random username!

At this point I can’t remember how many times I have had to enter my temporary password, but eventually I got a password that was acceptable.

You probably think I thought that this blog is about [In]Security Questions. But that’s of course what came next:

Screen Shot 2015-12-03 at 4.44.38 PM

All three challenge questions used the same list of seven prompts, and I would be hard pressed to find three of the above that can be easily discovered unless I just make something up. But there’s a bright spot: The first question asks whether you want this form of recovery at all. I said “No” and didn’t have to do the rest. Hurray! It’s much better to do this than to fill in, and then have to manage and perhaps lose made-up answers to the questions.

So while I would give this site very poor grades for their username/password rules, if they have to have recovery questions at all, making them optional is wonderful.


* To be fair, Cisco contracts out their benefits management, so while it’s a Cisco-branded website, it’s really run by a contractor (Xerox Services, apparently).



Security Question Humor

tendencyMcSweeney’s Internet Tendency, a daily humor website, has published several articles poking fun at password rules and security questions.  The latest, which I highly recommend, is a list of nihilistic password security questions.

Along a similar vein, about a year ago McSweeney’s published security questions for single, childless people.

Like articles from The Onion that leak over into the mainstream press, I’m anxiously waiting for some of these questions to appear on actual websites. Be on the lookout for them!


Delta Air Lines

I recently got a mailing implying (but not actually saying) that some of my frequent flight miles on Delta were about to expire, so I thought I should check my status online. Very surprisingly, I didn’t have an online account associated with my frequent flight account, so I got exposure to another registration process.

I eventually got to a page where I could reset my password (I guess there aren’t enough people in my situation to have a separate “set your password” page:


These days, a 6-character password is far too short, and it’s uncommon not to permit special characters at all. The minimum should be at least 8-10 characters. The bright spot is in the fourth bullet where they imply that they are checking submitted passwords against a corpus of common passwords. This is an excellent practice if, in fact, this is what they are doing. I didn’t try any common passwords to check.

Naturally, this was followed by a requirement to answer a couple of security questions:


The best I can say is that there weren’t any particularly ridiculous questions (besides the perennial “first pet”), and about half the questions were a little unusual and travel themed. They shared many of the problems of more usual questions (you might be able to figure out the coolest landmark I have visited from my travel blog, so I didn’t use that one), but at least they are less likely to be shared by many other sites one registers with.

By the way, my miles weren’t expiring; the mail I received just wanted to have me use some of them to buy magazines.


Quest Diagnostics

A recent healthcare experience pointed out issues with both security questions and knowledge-based authentication used to associate my account with my in-person activities.

I recently had some lab work done in connection with my annual physical examination, and as I have many times in the past, went to a nearby Quest Diagnostics center to have my blood drawn. What was new this time was that in the usual email asking me to answer a survey on my experience, Quest now offers the opportunity to view my test results. I get this information from my doctor, but thought I’d check it out.

The email had a link to their website, but the personalization of the link appears to only be used for tracking responses; it redirected me to a generic registration site. This means that they missed the opportunity to use the email link to get some additional assurance about who I am.

The registration page was minimal, with standard password rules and only two “security” questions:


What was disappointing was the availability of only 5 fairly standard prompts, with question 2 using the same ones (with the chosen prompt eliminated). The questions had the usual problems, ranging from ability to make an educated guess to low entropy (particularly in the case of father’s date of birth).

Following the account setup there was an attempt at identity proofing using dynamic knowledge-based authentication (dynamic KBA). I was asked the last 4 digits of my social security number (apparently to confirm who I claimed to be in the event of a name collision), which I declined to provide. I was then presented with three multiple choice questions, with 5 choices per question:

questkba The answer to the first question, of course, is on LinkedIn. The former address in the second would have been easy to obtain from the Internet Archive. The third answer could have been determined by someone who knew where I grew up, since they’re assigned geographically. Or they could just guess.

Once I completed this, my account was set up. I was particularly unimpressed with the weak dynamic KBA. The best I can say is that I’m glad I created my account so nobody else could do so.