Safer Storage and Handling of User Answers to Security Questions

Presented at BSidesLV 2017, July 26, 2017, 10 a.m. (55 minutes)

Like it or not, security question password reset isn't going away. Most organizations find it to be a cost effective approach that seems to work in practice. While there are many problems with this approach, one has received little attention: how to safely store the answers. I show that common methods used for storing password validation information are not suitable for security questions, and propose better alternatives.

Presenters:

• Arnold Reinhold - A G Reinhold
  Arnold Reinhold has been involved with password and passphrase security since the mid-1990s. He is the developer of Diceware, RockSalt, CipherSaber and HEKS, the first password hash designed to consume memory resources as well as CPU time. He has worked on spacecraft navigation at NASA, apparel industry automation at Marcon, computer-aided design software at Computervision Corp. and helped found Automatix Inc., an early robotics and machine vision company. Mr. Reinhold is co-author of several For Dummies books, including The Internet For Dummies Quick Reference and Email For Dummies, and contributes regularly to Wikipedia. Mr. Reinhold studied mathematics at MIT and management at Harvard.

Links:

• https://bsideslv2017.sched.com/event/BNGJ/safer-storage-and-handling-of-user-answers-to-security-questions
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/Safer Storage and Handling of User Answer.mp4
• https://infocon.org/cons/Security BSides/BSides Las Vegas/Bsides Las Vegas 2017/Safer Storage and Handling of User Answer.eng.srt (subtitles)
• https://www.youtube.com/watch?v=CqwbCxP7MC0

Similar Presentations:

• DEF CON 23 (2015) / Questions and Answers
• BSidesLV 2015 / Security Questions Considered Harmful
• ToorCon San Diego 1 (1999) / Security Panel: Questions and Answers.