Study Shows "Secret Questions" Are Too Easily Guessed

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

Re:I agree

[will_die]

Who the hell else would know that?
Every other web site that you visited that asked that question.

Re:Don't use them

[Jurily]

Hence, rendering the whole facility useless, and causing you extra inconvenience.

Disabling an insecure security feature is not an inconvenience.

Ok, stop the smart ass solutions

[fph+il+quozientatore]

So, it seems every slashdotter is submitting his best SHA1 fancy trick to answer the security question. But I think you missed the problem. The problem is not securing the accounts of smart tech-savvy people, as they should already know how to do it themselves. It is "how do we make sure that Joe the Plumber, Granny, and Sarah do not set dumb-ass security questions leading their account to be pwned in less than ten seconds?"