Palo Alto Networks

Networking company Palo Alto Networks has an example of a website that allows users to pick their own “security” questions:

Empty security question form

As you can see, the questions and answers can range from the unhelpful (given that you’ve forgotten your password) to the obvious:

Tongue-in-cheek questions

I’d be careful about this; it’s never obvious how many correct answers are needed for account recovery, so a single weak answer might be the Achilles’ Heel for the security of your account. Some users might also choose questions that aren’t secrets, like “Who shot J.R.?”, “What is 2+2?”, or “What is the airspeed velocity of an unladen swallow?”

And it’s never obvious how this information is stored. Is it salted and hashed like passwords should be? Or is it available to customer service people in plaintext?

Wondering how the answers are stored

So now to test out the recovery process. An identifier and CAPTCHA to start:


And presumably the user still doesn’t know their password. But they also got the capitalization and punctuation on “No!” wrong:


Didn’t work. Let’s try again. But look, the user has another option to get a password reset email:


So why do we need the security questions at all? They’re just an additional way into your account:


Sure enough, the email was sufficient:

8The “security” questions were not needed to recover the account, but just provided an additional way in. So why have them?


Contributed by Per Thorsheim.


Published by

Jim Fenton

I'm a networking technologist who likes to travel, bicycle, run, and various other things.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s