'Secret' Questions Leave Accounts Vulnerable
Study shows how easy it is for others to guess answers to security questions.
June 23, 2009 -- What's your secret question? Your mother's maiden name? Your first pet? For many people, facts like these are all that protect their email and other accounts should they forget their password.
Now a new study by researchers at Microsoft Research in Redmond, Wash. reveals just how easy the answers of such security questions are for other people to guess.
Acquaintances of 32 Web mail users – people with whom they would not normally share their login details – were asked to try and guess the answers users assigned to protect their accounts. The volunteers managed to guess correctly nearly a fifth of the time, raising questions over how secure the commonly used system is.
However, a second Microsoft study suggests a more secure alternative: relying on trusted friends to vouch for you if an account becomes locked.
Skeleton Key
Securing webmail is important because email accounts typically allow an attacker access to other accounts, for example, eBay and Amazon, points out Ross Anderson, a security engineer from Cambridge University, UK, because it is possible to request password reminders that will be sent to the compromised account.
"If I can recover these passwords via your email account then I can spend the balance of your credit card on flat-screen TVs," he says.
Hackers can break open webmail accounts by guessing the password. However, many providers, including the four biggest in AOL, Google, Microsoft, and Yahoo, use secret questions to trigger a password reset, something that let a hacker compromise the Yahoo account of US vice presidential hopeful Sarah Palin last year.
Trusted Friends
Under the new system proposed by Stuart Schechter and Rob Reeder at Microsoft, users select several "trustees". If a user becomes locked out of their account their trustees receive a message asking them to download a "recovery code." The user must collect codes from multiple trustees to unlock their account.
A group of 19 Hotmail users trialed the system and 17 successfully regained access to their Hotmail account. That 90-per-cent success rate compares favourably to 80-per-cent success rate of the standard secret question system, say Schechter and Reeder. In the trial, most users recovered their accounts within two days.
However, when the researchers got users' acquaintances to ask the trustees to give up the codes, many of them did so. Reeder says this attack could be avoided by getting account holders to advise trustees of their role in advance. In the trial, trustees simply received an email containing the code out of the blue.
References Required
Rather than replacing the standard secret questions approach, the new method should be an optional choice for users, says Anderson, who agrees that it is important to train trustees to be appropriately security conscious.
But the idea has promise, says Reeder, pointing out that it is not a new idea to have people use third parties to back up their identity. "When I opened my first bank account, in the early 70s, I had to provide three references," he says.
The two Microsoft papers were presented at the Security and Human Behaviour conference at MIT, Massachusetts, US, last week.