Ashley Madison, a website that facilitates affairs for married people, has gotten considerable publicity recently because of a breach of its user database. Per Thorsheim (@thorsheim on Twitter), the organizer of the PasswordsCon conferences, checked out the Norwegian version of Ashley Madison and found an interesting “security” question:
- What is your mother’s maiden name?
- What is the name of the middle school you went to?
- What is your favorite team?
- What are the 4 last digits of your social security number?
The last question, fairly common in the US, works differently in Norway. Their ID numbers have the following characteristics:
- 11 digits
- First 6 digits are date of birth
- Next 3 are selected individually, with a limited range of 500 depending on century of birth
- Last two are check digits (calculated from the rest)
- Gender is encoded somewhere
So if you know the target’s date of birth (often easy to find on Facebook, genealogy databases, etc.), there are immediately only 500 choices. There are also services that can tell whether a given number is in use, which cuts the number of choices down even further, especially for older members of the population that don’t share a birth date with as many other living people.
This shows that in designing “security” questions, it isn’t good enough just to translate the text of the question. In some other countries, the mother’s maiden name wouldn’t be a good choice if it’s part of a child’s name.