Insecurity Questions

Ashley Madison (Norway)


Ashley Madison, a website that facilitates affairs for married people, has gotten considerable publicity recently because of a breach of its user database. Per Thorsheim (@thorsheim on Twitter), the organizer of the PasswordsCon conferences, checked out the Norwegian version of Ashley Madison and found an interesting “security” question:

There is a single security question with a choice of (only) four prompts, which in English are:

The last question, fairly common in the US, works differently in Norway. Their ID numbers have the following characteristics:

So if you know the target’s date of birth (often easy to find on Facebook, genealogy databases, etc.), there are immediately only 500 choices. There are also services that can tell whether a given number is in use, which cuts the number of choices down even further, especially for older members of the population that don’t share a birth date with as many other living people.

This shows that in designing “security” questions, it isn’t good enough just to translate the text of the question. In some other countries, the mother’s maiden name wouldn’t be a good choice if it’s part of a child’s name.