System for Award Management – then and now

About three years ago, the startup I was working for was bidding on a US Government contract, and that required us to register with what at the time was called Central Contractor Registration (CCR). The “security” questions were notable enough that I kept a record of them at the time, which I ran across recently.

Then

The old registration required that I supply the answers to five security questions. This is more than I have seen anywhere else:

CCR question prompts

Fortunately, although the prompts were the same for each of the questions, there was a long list of prompts from which to choose:

CCRq1

The list was long enough that I had to scroll down to see the whole thing:

CCRq2

While having a longer list of questions is helpful (and probably essential, if five questions are involved), there isn’t really anything new here, and some questions have little entropy, even for those for which you can’t get the answers from social networking sites.

I also captured some of the password requirements:

BPNpasswordFairly standard, but unfortunately I didn’t capture the “additional password rules” (despite a search through Internet Archive).

Now

CCR has been incorporated into GSA’s System for Award Management (SAM) [sound like someone’s uncle?]. The process is somewhat different, and more conventional now, with three “security” questions. I suppose the answer to a “Security Question” is a “Security Answer”:

SAMfieldsAll three questions draw from the same, shorter, list of prompts. Nothing unique here:

SAMquestionsOne thing they do that I haven’t seen elsewhere is display a popup that explains why they’re asking for this. A nice gesture for the 0.01% of people who don’t already know:

SAMexplanation

Note the “one or more”. Your account could be taken over by someone knowing only one of these answers. Scary.

The username/password rules are interesting too. SAMpwrulesWhy the 15 character upper limit? As a rule, longer passwords are better, so why not let users use longer ones?¬† Longer hashed passwords don’t any more storage space than short ones, and they are hashing the passwords aren’t they?

Update 29 August 2015: I ran across a podcast talking about “the worst government websites on the internet” that cited SAM as their poster child of bad government websites. Their issues apparently aren’t limited to their use of security questions.

eDisclosure

As a member of my small city’s Bicycle and Pedestrian Advisory Commission, I am required by California Law once a year to disclose any conflicts of interest I may have. The City has recently adopted eDisclosure, a system to allow us to file those disclosures online.

I was sent a temporary password with which to create an eDisclosure account. It required that I change my password immediately, and had a moderately aggressive set of password rules:

eDisclosureRules

But it also required me to answer a single “security” question, and none of the prompts inspire confidence in the security of this system:

eDisclosureQ“What is your favorite season?” has to be one of the lowest entropy questions I have seen yet. Of course, there are four seasons, so if they are equally popular that is a whopping 2 bits of entropy. Of course, there are other answers, like “ski”, “strawberry”, and “football”, but I only thought of those once I realized how few choices there seemed to be. Many will just answer, “spring”.

My favorite season, of course, is unpronouncable.

 Contributed by myself (Jim Fenton)

 

California Department of Motor Vehicles

I recently got to renew my driver’s license online rather than go to the Department of Motor Vehicles office. Naturally, this required that I create an account at the DMV, and of course they had security questions for me to supply answers to. Two sets this time, but both with the same list of prompts:

DMV question promptsHaving only one list of questions of course is more limiting: you need to pick 2 out of 10 questions to answer (truthfully or not). There is a little creativity here: the question about the prom is not one I have seen elsewhere. But the question about who you voted for is terrible, since a 50 year-old person may have voted in only 7 presidential elections, and most likely voted for one of two people (immigrants have the possible advantage of unusual answers here). This narrows down further if you can estimate the person’s age, since they likely first voted close to the time they became eligible. So no more than 4 bits of entropy here, and perhaps less.

The context of the security questions here is more troubling. The registration form places these questions in between email address (which you need to enter twice) and driver’s license/ID number, date of birth, last 4 digits of Social Security Number, and driver’s license/ID issue date, all of which need to be answered truthfully in order for the registration to succeed. The placement of these questions discourages users from doing the secure thing, which is to make answers up.

Contributed by myself (Jim Fenton)

Social Security Administration (US)

In the United States, the Social Security Administration has rolled out an online service to replace the paper statements they sent out to tell us the status of our account (earnings, etc.) so we don’t get surprised by an error at retirement time. While setting up an account, you need to create a username and password, and then you’re required to select and answer three “Password Reset Questions” (at least they’re honest about what they’re used for). The choices are different for each question.

Here are the choices:

SSA question 1

SSA Question 2

SSA Question 3For question 1, almost all of the questions deal with relatives’ names, often found on a genealogy service. The name of the hospital in question 2 is probably nearly fully determined by your birthplace, again readily found on genealogy services. For the third question, there aren’t that many car models, especially not “dream cars”.

“Name of your favorite childhood friend” doesn’t specify whether it’s first name or the phone name. And that’s one of the other problems with these questions: there are often different typographical answers to the questions, and hopefully the answers are hashed so they’re less subject to disclosure. But, in third grade, did I live on Maple, Maple Street, or Maple St.? Could be hard to get it right when it’s needed.

Social Security also provides password creation rules:

SSAPasswordRulesPassword rules have been shown to lead to a false sense of security, because people focus on the rules rather than what makes a good password. But what good does it do to require that the password not begin with a symbol? Or is this just because the programmer didn’t want to handle that case correctly?

Submitted by myself (Jim Fenton)