Brian Green’s experience with not-so-secret questions began when he logged on to his World of Warcraft account in March of this year and found all of his characters in their underwear. Someone had stolen the account and sold off all of his virtual equipment.
“My first thought was that I might have a keylogger on my computer,” Green wrote in a description of the event. Yet his own research into the incident–and the attacker’s ability to change his account passwords multiple times–led Green, who is himself a game designer, to a different conclusion: “My ‘secret question’ has an all-too-common answer … This wasn’t something I considered when I filled it out way back when.”
The incident bares similarities to the high-profile case involving Alaska governor and former vice-presidential candidate Sarah Palin. In September 2008, hackers used the name of the location where Palin and her husband met to gain access to her Yahoo e-mail account via the “secret question” password-recovery mechanism.
Palin and Green are not alone. In research to be presented at the IEEE Symposium on Security and Privacy this week, researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.
“Secret questions alone are not as secure as we would like our backup authentication to be,” says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. “Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.”
The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.
But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.