Cisco has just “enhanced” the security of their website by forcing you to enter two secret questions and answers when you register for an account. To quote Bruce Schneier:

It’s a great idea from a customer service perspective — a user is less likely to forget his first pet’s name than some random password — but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I’ll bet the name of my family’s first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

Cisco provides an excellent example of how not to handle password recovery. Not only are they using a secret question and answer system, they require you to choose from a pre-defined list of questions, and they force you to answer not just one but two questions.

cisco_password_procedure

For a company that offers a broad range of products designed to protect your network, this looks like a bad move. Most of these answers can be easily obtained through the internet; sites like Facebook contain a wealth of information for hackers. I personally recommend filling any “secret answer” field with random data so hackers don’t get an extra chance to hack into your account.

Which reminds me of another important precaution to take when signing up for an account on any website:

  • Sign up with a simple password such as “p@ssword123”
  • Follow their lost password procedure
  • If you receive an e-mail containing your original password, the site stores your password in a readable form. If their servers are hacked, you have a big problem; so either remove your account for this service ASAP, or use a password that you don’t use for any other account.