Blog: Are Your 'Secret Questions' Too Easily Answered?

Are Your 'Secret Questions' Too Easily Answered?
Technology Review (05/18/09) Lemos, Robert

The "secret questions" that protect online accounts and passwords may be far less secure than commonly believed, largely because their answers are often far too simple, researchers say. Carnegie Mellon University and Microsoft researchers will present research at the IEEE Symposium on Security and Privacy, which highlights the vulnerabilities of the secret question systems used to secure the password-reset functions to numerous Web sites. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions, and even people not trusted by the participant had a 17 percent chance of guessing the correct answer. "Secret questions alone are not as secure as we would like our backup authentication to be," says Microsoft researcher Stuart Schechter. "Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords." The least-secure questions are simple ones that can be guessed with no existing knowledge of the subject. Schechter says backup-authentication schemes should be reliable and allow only legitimate users to regain access to their accounts. They also should be secure, preventing unauthorized users from gaining access. The study found that secret questions fail on both accounts. "We would eventually like to see these questions go away," Schechter says. "Unfortunately, since we didn't find many questions that were conclusively good, it's hard to recommend simply changing questions."

View Full Article