Study: Secret questions don't safeguard passwords

Even if your spouse doesn't know your e-mail password, he or she probably knows enough information to get it.

Free e-mail providers often present a so-called "secret question" as a verification mechanism to reset an account password. But the answer is often easily guessable by other people who know the account holder, according to a new study to be released during the IEEE Symposium on Security and Privacy this week in Oakland, California.

In other cases, strangers can successfully supply the answers to some questions, which is how Republican vice-presidential nominee Sarah Palin lost control of her Yahoo account. The university student accused of commandeering the account, David Kernell, said it took less than an hour of research online to come up with the right answers for the security questions for Palin's account.

The study looked at the questions used by Yahoo, Google, Microsoft and AOL in March 2008. In one test, the researchers paired two people together, with the e-mail account holder saying they would not trust the other person with their password. When presented with the account holder's secret question, the other person guessed it right 17 percent of the time.

Among two people who trust each other, one partner was able to supply the right answer for a Hotmail account 28 percent of the time, the study said.

Even with questions written by a user -- the system that Google now employs -- a complete stranger could guess the answer 15 percent of the time within five attempts.

Part of the problem is that the questions are so bland that a bit of Internet searching can bring up lists of favorite TV shows, sodas, beers, actors, etc. that help make more targeted guessing possible. Also, geographical data helps with questions such as "What is your favorite sports team," the study said.

"Our results do not give us confidence that today's personal questions make adequate authentication secret," the authors wrote. "Those that are hard to guess are less likely to be chosen by users in the first place, and when chosen they are less likely to be remembered."

Although Yahoo at one time presented the most memorable set of questions at the time, the study's participants forgot their own answers within six months. The authors wrote that Yahoo replaced all nine of its personal authentication questions in February.

There isn't an easy fix to the problem. Many other Web sites depend on sending an e-mail to a person's account to verify a person, but since the e-mail account itself needs to be verified, it poses a problem.

One possible solution to ward off statistical guessing attacks would be to penalize wrong responses depending on their popularity. The size of the penalty, the authors write, would depend on the chance of the legitimate user responding with multiple popular answers before getting the right one.

Data in the study suggests that if a person incorrectly guesses two popular responses for a question, they rarely get a third question right.

Also, the authors recommend eliminating questions that are statistically guessable more than 10 percent of the time, such as "What is your favorite town?" They defined an answer as statistically guessable if it is among the five most-popular answers provided by other participants in their study.

Another authentication mechanism could be an SMS (Short Message Service) sent by the e-mail provider to a person's mobile phone. But that also poses security questions, since phones are stolen and lost, and SMS transmission has security concerns, they wrote.

The study was written by Stuart Schechter and A.J. Berheim Brush of Microsoft Research and Serge Egelman of Carnegie Mellon University.