I was recently trying to renew my car’s registration. I was given the option of using the “Classic Online Renewal” or the new “Texas by Texas (TxT)” system.
The old system is probably over two decades old and appears to be using Java servlets. I’ve used it all these years and for the most part it works. You authenticate yourself using your license plate and the last 4 digits of your VIN — to pieces of information you can obtain by looking closely at any car on the street.
By contrast the new system allows you to create a profile and link your driver license, vehicle, and other licenses to it. Seems like a good idea with the forthcoming digital licenses. I go through the process to create my profile. I have to link my drivers license by entering information visible on the face of the card and on the magnetic strip. I add an email address, password, phone number, address, and security questions. I get to the last screen and click save. It hangs. I wait.
After several minutes, I give up and click on the logo to take me back to the starting point. I try to login and it works but my profile is all blank. No address. No security questions. And it’s not linked to my Driver’s license. It let me create an account without linking to my DL. Hmm.
I proceed to try to add the Security Questions. I click save and it hangs again. At this point, I assume that I’m using beta software. My suspicions are confirmed when all the emails from the new system being generated out of Amazon SES are going to spam. I look at the headers to see an SPF Fail.
At this point I suspect that TxT is doing some sort of parsing of the Security Questions text and it is that parse function that is hanging the app. This causes additional alarm bells to fire off. It is clear that they are not properly handling the Security Questions. By properly, I mean that they should be treating them like passwords. To do anything less or different creates a weakness in the security model. After some trial and error, I was able to determine that they could not handle special characters in the Security Question responses. Once I generated new and much longer responses without special characters, I was able to save the form.
In summary, Security Questions allow someone to access your account. They are typically not protected properly against brute force attacks and by design the user is prompted to make the password something they would know. In some cases they may be visible as plain text by support staff. When filling out these forms, you do not have to answer the prompted question. You can generate random passwords with enough entropy to make up for the lack of variety of characters. Passwords can be stored in a password manager.