Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Backup-authentication schemes should have two important characteristics, Schechter says. They should be reliable, allowing a legitimate user to regain access to his or her account, and they should be secure, preventing unauthorized users from gaining access.

The study found that secret questions fall short on both accounts. Even for the most memorable questions–Yahoo’s, as it turned out–the participants forgot 16 percent of the answers within three to six months. Overall, one out of every five people forgot all of the answers to their secret questions, the researchers found.

“People tend to underestimate the likelihood of their forgetting some clever technique or glib answer,” Schechter says.

For most of a decade, security expert Bruce Schneier has criticized secret questions for their vulnerability to attack. In 2005, Schneier wrote, “I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it.”

Yet companies focused on reducing customer-service costs have introduced a back door into people’s accounts that is easier to circumvent than attempting to guess the password, he says. “The weird security thing that is being done is that there is a backup system to reset your password that is less secure than the system that it’s intended to support,” Schneier says.

Schechter agrees that researchers will have to find a completely different mechanism for backup authentication–secret questions just don’t cut it. “We would eventually like to see these questions go away,” he says. “Unfortunately, since we didn’t find many questions that were conclusively good, it’s hard to recommend simply changing questions.”

Schechter recommends not choosing questions that may have common answers. Schneier goes farther and says that he frequently just types in a random answer; if he needs to retrieve a password, he says, he will call the company.

Green, whose secret question asked the name of his high school, plans to use more secure e-mail in the future. And that may mean forgoing password retrieval. “Being able to reset my password on the site is nifty if I forget my password, but it sucks if someone else manages to figure out how to do it without my permission,” he says.

14 comments. Share your thoughts »

Credit: Technology Review

Tagged: Communications, Web, security, Microsoft, passwords

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me