Study: Secret questions don't safeguard passwords
Even if your spouse doesn't know your e-mail password, he or she probably knows enough information to get it.
Free e-mail providers often present a so-called "secret question" as a verification mechanism to reset an account password. But the answer is often easily guessable by other people who know the account holder, according to a new study to be released during the IEEE Symposium on Security and Privacy this week in Oakland, California.
In other cases, strangers can successfully supply the answers to some questions, which is how Republican vice-presidential nominee Sarah Palin lost control of her Yahoo account. The university student accused of commandeering the account, David Kernell, said it took less than an hour of research online to come up with the right answers for the security questions for Palin's account.
The study looked at the questions used by Yahoo, Google, Microsoft and AOL in March 2008. In one test, the researchers paired two people together, with the e-mail account holder saying they would not trust the other person with their password. When presented with the account holder's secret question, the other person guessed it right 17 percent of the time.
Among two people who trust each other, one partner was able to supply the right answer for a Hotmail account 28 percent of the time, the study said.
Even with questions written by a user -- the system that Google now employs -- a complete stranger could guess the answer 15 percent of the time within five attempts.
Part of the problem is that the questions are so bland that a bit of Internet searching can bring up lists of favorite TV shows, sodas, beers, actors, etc. that help make more targeted guessing possible. Also, geographical data helps with questions such as "What is your favorite sports team," the study said.
"Our results do not give us confidence that today's personal questions make adequate authentication secret," the authors wrote. "Those that are hard to guess are less likely to be chosen by users in the first place, and when chosen they are less likely to be remembered."
Although Yahoo at one time presented the most memorable set of questions at the time, the study's participants forgot their own answers within six months. The authors wrote that Yahoo replaced all nine of its personal authentication questions in February.
There isn't an easy fix to the problem. Many other Web sites depend on sending an e-mail to a person's account to verify a person, but since the e-mail account itself needs to be verified, it poses a problem.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
password
Powered by TwitterOn Twitter now
password
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.






