Sign In

Communications of the ACM

ACM TechNews

'secret' Questions Leave Accounts Vulnerable


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook

The secret questions some Web sites ask new users to answer for verification purposes in case a password is forgotten are actually far less secure and far easier for hackers and malicious users to guess, according to a new report by Microsoft Research.

Acquaintances of 32 Web email users, people who would not normally be told log-in information by the email user, were asked to try and guess the answers users assigned to the secret questions. The acquaintances were able to guess correctly nearly 20 percent of the time. Microsoft says a second study shows that another technique, relying on trusted friends to vouch for a user locked out of his or her account, is a more secure method.

Microsoft researchers Stuart Schechter and Rob Reeder propose a system in which users select several "trustees." If a user is locked out of their account, the trustees receive a message asking them to download a recovery code. The user must collect the codes from the trusties to re-access the account. Securing email accounts is extremely important, because obtaining access to an email account can give the attack access to the users other accounts, such as eBay and Amazon, by asking for password reminders, according to Cambridge University's Ross Anderson.

From New Scientist
View Full Article

 

Abstracts Copyright © 2009 Information Inc., Bethesda, Maryland, USA


 

No entries found