United Mileage Plus

Yesterday, Yan Zhu (@bcrypt) pointed out on Twitter that United Airlines Mileage Plus program has started collecting answers to security questions. They have a new twist: you must select one of a menu of answers.

United wants the answers to five questions, chosen from a list:


These are somewhat creative questions, which is good because they’re less likely to be shared with other sites that could be compromised. But what’s also interesting is that one of the questions Yan tweeted about, “What is your favorite pizza topping?” does not appear here. Perhaps United is presenting different question choices to different people, or perhaps they agreed that mashed potato was too strange a choice to have.

What really stands out about United is doing here is that the answers, rather than being typed by the user, must be chosen from a list. As I pointed out in an earlier post analyzing the security answers in the Ashley Madison database, there is a lot of variation in the way these questions are answered, and it’s not possible to store the answers as a salted hash (as one should for passwords, which is what these really are) and allow a fuzzy match.  For example, someone who went to Central High School might enter “central”, “Central”, “Central HS”, etc., or they might spell the answer wrong entirely. Choosing an answer from a list instead removes that problem.

But what other problems are introduced? The most obvious is that the number of choices (and therefore the amount of entropy, or randomness, in the answer) is limited. Here is the number of choices offered for each of the questions:

  • Favorite vacation type: 17
  • Best friend’s birthday month: 12
  • Favorite sport: 54
  • Favorite ice cream flavor: 44
  • Month met spouse/SO: 12
  • What you wanted to be: 91
  • First car: 116
  • Favorite sea creature: 38

and so forth. In the best case (if the answers are equally likely), the probability of guessing the right answer is 1/N. But these answers are far from equally likely: there are going to be many more people whose first car was a Chevrolet than a Tesla. And, as with many security questions, that assumes that the answers aren’t obtainable elsewhere, such as social media. It’s far more likely that someone who has posted a picture of their pet greyhound on Facebook is going to cite that as their favorite dog breed than, say, a Treeing Walker Coonhound.

Many of these questions don’t evoke obvious answers for me. Favorite artist? I like many. Favorite flavor of ice cream? Depends on what mood I’m in.

The use of specified answers also keeps users from supplying nonsense answers to the questions, which can be considerably more secure than direct answers to the questions.

In conclusion, United seems to have traded one problem (imprecise answers to security questions) for some others (low entropy, low memorability of the correct answer). United is giving us 30 days to complete the security questions (and change our password, by the way) before this becomes mandatory. Let’s hope there is enough of an outcry to convince them that this is an ineffective technique that potentially degrades, rather than improves, security.UnitedSecQ




Delta Air Lines

I recently got a mailing implying (but not actually saying) that some of my frequent flight miles on Delta were about to expire, so I thought I should check my status online. Very surprisingly, I didn’t have an online account associated with my frequent flight account, so I got exposure to another registration process.

I eventually got to a page where I could reset my password (I guess there aren’t enough people in my situation to have a separate “set your password” page:


These days, a 6-character password is far too short, and it’s uncommon not to permit special characters at all. The minimum should be at least 8-10 characters. The bright spot is in the fourth bullet where they imply that they are checking submitted passwords against a corpus of common passwords. This is an excellent practice if, in fact, this is what they are doing. I didn’t try any common passwords to check.

Naturally, this was followed by a requirement to answer a couple of security questions:


The best I can say is that there weren’t any particularly ridiculous questions (besides the perennial “first pet”), and about half the questions were a little unusual and travel themed. They shared many of the problems of more usual questions (you might be able to figure out the coolest landmark I have visited from my travel blog, so I didn’t use that one), but at least they are less likely to be shared by many other sites one registers with.

By the way, my miles weren’t expiring; the mail I received just wanted to have me use some of them to buy magazines.


DB Bahn

Anders B (@abjoerne on Twitter) contributed the following example from DB Bahn:


Scattered among the typical security question options is passport/ID number. While it’s not something you’re likely to post on Facebook (unlike favorite animal or holiday destination, perhaps), it isn’t something that is a secret: very often people are asked for their passport numbers when registering for hotels, for example. In addition, I have always been given a new passport number when I renew my passport. Will I always know which passport number I used? Will I still have access to it?