Study: Secret questions don't safeguard passwords
Even if your spouse doesn't know your e-mail password, he or she probably knows enough information to get it.
Free e-mail providers often present a so-called "secret question" as a verification mechanism to reset an account password. But the answer is often easily guessable by other people who know the account holder, according to a new study to be released during the IEEE Symposium on Security and Privacy this week in Oakland, California.
In other cases, strangers can successfully supply the answers to some questions, which is how Republican vice-presidential nominee Sarah Palin lost control of her Yahoo account. The university student accused of commandeering the account, David Kernell, said it took less than an hour of research online to come up with the right answers for the security questions for Palin's account.
The study looked at the questions used by Yahoo, Google, Microsoft and AOL in March 2008. In one test, the researchers paired two people together, with the e-mail account holder saying they would not trust the other person with their password. When presented with the account holder's secret question, the other person guessed it right 17 percent of the time.
Among two people who trust each other, one partner was able to supply the right answer for a Hotmail account 28 percent of the time, the study said.
Even with questions written by a user -- the system that Google now employs -- a complete stranger could guess the answer 15 percent of the time within five attempts.
Part of the problem is that the questions are so bland that a bit of Internet searching can bring up lists of favorite TV shows, sodas, beers, actors, etc. that help make more targeted guessing possible. Also, geographical data helps with questions such as "What is your favorite sports team," the study said.
"Our results do not give us confidence that today's personal questions make adequate authentication secret," the authors wrote. "Those that are hard to guess are less likely to be chosen by users in the first place, and when chosen they are less likely to be remembered."
Although Yahoo at one time presented the most memorable set of questions at the time, the study's participants forgot their own answers within six months. The authors wrote that Yahoo replaced all nine of its personal authentication questions in February.
There isn't an easy fix to the problem. Many other Web sites depend on sending an e-mail to a person's account to verify a person, but since the e-mail account itself needs to be verified, it poses a problem.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
password
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
