This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Testing for Weak security question/answer (OTG-AUTHN-008)

Revision as of 05:19, 14 August 2013 by Robert WInkel (talk | contribs)

Jump to: navigation, search
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: Back to the OWASP Testing Guide Project:

Brief Summary

Often called "secret" questions and answers, security questions and answers are often used to recover forgotten passwords, or as extra security on top of password.
They are typically generated upon account creation, and require the user to select from some pre-generated questions and supply an appropriate answer, or allow the user to generate their own question and answer pairs. Both methods are prone to insecurities.

Description of the Issue

Security questions and answers rely on the secrecy of the answer. Answers should be of the form that are only known by the account holder. However, although a lot of answers may not be publicly known, most of the questions that websites offer promote answers that are pseduo-private. Some examples are below. Pre-generated questions:
The majority of pre-generated questions are fairly simplistic in nature and can generate insecure answers. For example:

  • The answers may be known to family members or close friends of the user, e.g. "What is your mother's maiden name?"
  • The answer may be easily guessable.

Black Box testing and example

Testing for Topic X vulnerabilities:
Result Expected: