"Security question answers" are akin to auxiliary passwords, which users will not use on a daily basis. Remembering a password that you almost never type is hard. Requiring exact case is likely to make the user fail to answer properly.
On a theoretical point of view, a "security question" is already a huge weakness, which you tolerate because some users will forget their password, and you want to handle that case with as much automation as possible, and not asking any security question would be even worse security-wise. Hence, the added value of security questions is that they allow a not-totally-open password reset process which can nonetheless be conducted automatically, i.e. at minimal cost for the server. Case sensitivity would probably remove much of that value. Actually, I would even recommend normalization by suppressing whitespace, punctuation and accents.
Answer from Thomas Pornin on Stack Exchange"Security question answers" are akin to auxiliary passwords, which users will not use on a daily basis. Remembering a password that you almost never type is hard. Requiring exact case is likely to make the user fail to answer properly.
On a theoretical point of view, a "security question" is already a huge weakness, which you tolerate because some users will forget their password, and you want to handle that case with as much automation as possible, and not asking any security question would be even worse security-wise. Hence, the added value of security questions is that they allow a not-totally-open password reset process which can nonetheless be conducted automatically, i.e. at minimal cost for the server. Case sensitivity would probably remove much of that value. Actually, I would even recommend normalization by suppressing whitespace, punctuation and accents.
Security questions are basically another password. Ideally it should thus have the same properties as a password i.e. reasonable length (greater than 8 characters) being the most important to defend against guessing and bruteforce.
This research study was posted here in a previous question: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxyZXVzYWJsZXNlY3xneDozNDcwNDhmMmE2MmJiMDkw
Its conclusions are that complexity is not that important against an online entry. Thus if you check for basic dictionary words, username etc, have sufficient length and implement an account lockout or exponential backoff, there is no significant benefit in also requiring complexity.
Of course the best would be to eliminate secret questions and add an out of band password reset method such as SMS one time password or even email one time password / link. Or stop managing passwords altogether and support an OAuth (e.g. Facebook connect) or Open-ID (Google etc) based method of authentication.
Hello all,
So like the title says I have forgotten the password to my laptop. I believe I changed the password over a year ago and never really used it ( just the pin and fingerprint) and clearly picked something irregular. In turn, the three security questions I cant seem to get the answers right (although I know what they should be), at least one is wrong and im not sure if they are case sensitive but a quick google search suggests no. I can still log in easy enough because I have my fingerprint and pin access but I dont want to wait around for the laptop to require a password log in.
There is a microsoft account attached to the computer but resetting the microsoft account password (which I knew anyway) has no effect on the computer password (I assume it is a local account).
Additional notes:
The laptop used to use windows 10 operating system but I upgraded it to windows 11 recently.
I have seen two possible ways of fixing this issue on the internet so far but they seem kind of dodgy so I have avoided them.
Below is the link to the first one (although the comments suggest if your device has encryption on it it will not work, so I turned off encryption in the settings but BitLocker encryption might still be active, not sure).
www.youtube.com/watch?v=0gOZoroPNuA&ab_channel=Britec09
The second option I have seen is creating a second administrator account and using that to change the password on this account but that seems surprising that that would work.
I do not have a password reset disk.
If I go into settings < accounts < sign-in options < password, i can try passwords over and over again with little fus. I can also go to the sign in screen and try the security questions over and over.
From my searches so far it looks like im kinda bonned though i think but thought id ask.
Edit:
Removed some information.
Solved. I ended up doing the following to change my password. Open cmd as administrator (being already logged in with pin/fingerprint obviously). Type in 'net user'. This identifies all the accounts on your computer: "Administrator, UserName, Guest, etc". Once you identify your account (whatever UserName is) you can type in 'net user UserName *' and will be prompted to type and retype a new password for the user.
Before I logged out I changed my security questions which in windows 11 can be found by typing "ms-cxh://setsqsalocalonly" into the run command and typing in your new password. I also created a 'physical password reset disk' using a usb.
Got a bit stressed when my fingerprint and pin number stopped working within windows (checked by trying to look at my passwords in my browser which prompts you to sign-in with one). However, this was because I had changed the password and hadnt logged back in yet. I have now logged in and out several times and checked fingerprint and pin number are working properly to log in as well.
In case of SQL Server:
string query = "select count(*) from login where userid=@userid and password=@Lee collate Latin1_General_CS_AS";
If this is a web application, MessageBox.Show() only shows on the server. It seems to work in development because your development machine is both the client and the server.
You are essentially correct, they don't really "increase security." They are there to (nominally) increase user convenience in case a password reset is needed, at a cost to over-all security.
If you forget your password, many password reset mechanisms require you to answer these questions as a secondary form of proving it is you. these are a hold over from the days before most of this information was easily available, and assumed to be relatively secret.
If forced to use such a system, and you are concerned about security, you can either enter random garbage even you won't know, and take responsibility that you will never be able to use their password reset feature, but neither will a bad guy. Or, enter some other password or token you will remember, but is not the answer to the question.
Don't use anything sensitive for these fields, as you can assume that unlike passwords, they won't be hashed, and may be visible to Customer Service reps trying to verify you over the phone.
For best practice guidance, NIST declared that security questions should not ask users for specific information such as “What is the name of your pet” in the Digital Authentication Guideline publication SP-800-63B (section 5.1.1.2).
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
The point of the questions is that people often pick poor passwords that are easily guessable, and to provide another "password" to mitigate this. A better method like sending a text message to a phone number isn't always possible, and means people have to have their phone with them to login.
As you noted, this isn't always done very well, and the answers are sometimes able to be researched, have a very small number of possible answers (like what is your favorite color), or changes (what's the name of your youngest child).
Does this practice improve security in any way? If not, then why do so many websites, so many products, so many companies force their users to provide answers for these questions?
If it's done well, it can provide some additional level of security. If done poorly, it provides little or no additional benefit.