Palo Alto Networks

Networking company Palo Alto Networks has an example of a website that allows users to pick their own “security” questions:

Empty security question form

As you can see, the questions and answers can range from the unhelpful (given that you’ve forgotten your password) to the obvious:

Tongue-in-cheek questions

I’d be careful about this; it’s never obvious how many correct answers are needed for account recovery, so a single weak answer might be the Achilles’ Heel for the security of your account. Some users might also choose questions that aren’t secrets, like “Who shot J.R.?”, “What is 2+2?”, or “What is the airspeed velocity of an unladen swallow?”

And it’s never obvious how this information is stored. Is it salted and hashed like passwords should be? Or is it available to customer service people in plaintext?

Wondering how the answers are stored

So now to test out the recovery process. An identifier and CAPTCHA to start:


And presumably the user still doesn’t know their password. But they also got the capitalization and punctuation on “No!” wrong:


Didn’t work. Let’s try again. But look, the user has another option to get a password reset email:


So why do we need the security questions at all? They’re just an additional way into your account:


Sure enough, the email was sufficient:

8The “security” questions were not needed to recover the account, but just provided an additional way in. So why have them?


Contributed by Per Thorsheim.