Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Shows "Secret Questions" Are Too Easily Guessed

Posted by kdawson on from the name-of-your-late-great-aunt's-fifth-parakeet dept.

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

6 of 303 comments (clear)

  1. My question is: by dvh.tosomja · · Score: 2, Informative

    Who has more water that we expect to?

  2. Re:Don't use them by zonky · · Score: 4, Informative

    Password safe , add the question and give a randomly generator combination as the answer. Problem solved.

  3. Re:Don't use them by Anonymous Coward · · Score: 2, Informative

    I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

    The name of my first pet, a hamster, was

    Spotty'delete from secretquestions;--

  4. Yesterday wants its news back by Opportunist · · Score: 2, Informative

    I dimly remember I saw something like this on /. before...

    It's a no brainer. Or at least it should be. Most of those "secret" questions draw from a limited set of possible answers. Worse, ALL those answers will be found in a dictionary. Because they invariably ask for (*drumroll*) a real, usually English, word.

    Now, what do we tell people, what did we tell them for ages? DO NOT use words that can be found in a dictionary. Yet for the "secret answer" (which is in almost all cases as good as the real password) we ask for a word that can be found in one.

    Is it me or is this like, you know, STUPID?

    There is no "secure" word. Not even your pet's name. My first pet was called ;drop table *;, btw. Yeah, I'm such a geek... sorry 'bout your database, btw.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Re:Its a flawed concept by digitig · · Score: 3, Informative

    To be fair, most of the systems I have seen that have secret question type security don't let you in on the basis of the secret question, they email a replacement password to you, and only use the secret question to reduce DOS attacks and minimise the sending of plain-text passwords. Surely in that case it's only an issue if the cracker has already compromised your email account?

    --
    Quidnam Latine loqui modo coepi?
  6. Re:Don't use them by baxissimo · · Score: 4, Informative

    That's the Bible, Genesis 1:1.