Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Shows "Secret Questions" Are Too Easily Guessed

Posted by kdawson on from the name-of-your-late-great-aunt's-fifth-parakeet dept.

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

9 of 303 comments (clear)

  1. Don't use them by slart42 · · Score: 5, Funny

    I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

    1. Re:Don't use them by Anonymous Coward · · Score: 5, Interesting

      Some services let you choose the question as well as the answer. In that case, I always set the question to "What is my password?"

    2. Re:Don't use them by pbhj · · Score: 5, Interesting

      I bet it stores the answers as plain text instead of hashing it like your pass. You're probably basically giving the support guys your password, hope you don't use it elsewhere ... but no, of course no one would make a system that retarded

    3. Re:Don't use them by Jurily · · Score: 5, Insightful

      Hence, rendering the whole facility useless, and causing you extra inconvenience.

      Disabling an insecure security feature is not an inconvenience.

  2. I agree by jez9999 · · Score: 5, Funny

    Secret questions are way to easily guessed. They should just stick to the most reliable password of all, mother's maiden name. Who the hell else would know that?

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:I agree by will_die · · Score: 5, Insightful

      Who the hell else would know that?
      Every other web site that you visited that asked that question.

  3. Why don't... by Jamamala · · Score: 5, Interesting

    You just submit the hash of your answer as the real answer? This would outwit a sizeable proportion of attacks by people who know you, as they might be unlikely to guess that you'd do this, and even if they do, they'd still have to guess the hash type.

    Then again, if they truly know you, then maybe they'd guess you'd be this paranoid :P

  4. Spot on by pjt33 · · Score: 5, Interesting

    Shame I just used my mod points. There are plenty of cultures in which women don't change their names when they marry, and even in those where they do they tend not to change them unless they marry, which is becoming less common. Fortunately banks are starting to wake up, and maybe in a decade they'll all have semi-sensible account security.

  5. Ok, stop the smart ass solutions by fph+il+quozientatore · · Score: 5, Insightful

    So, it seems every slashdotter is submitting his best SHA1 fancy trick to answer the security question. But I think you missed the problem. The problem is not securing the accounts of smart tech-savvy people, as they should already know how to do it themselves. It is "how do we make sure that Joe the Plumber, Granny, and Sarah do not set dumb-ass security questions leading their account to be pwned in less than ten seconds?"

    --
    My first program:

    Hell Segmentation fault