Brian Green’s experience with not-so-secret questions began when he logged on to his World of Warcraft account in March of this year and found all of his characters in their underwear. Someone had stolen the account and sold off all of his virtual equipment.
“My first thought was that I might have a keylogger on my computer,” Green wrote in a description of the event. Yet his own research into the incident–and the attacker’s ability to change his account passwords multiple times–led Green, who is himself a game designer, to a different conclusion: “My ‘secret question’ has an all-too-common answer … This wasn’t something I considered when I filled it out way back when.”
The incident bares similarities to the high-profile case involving Alaska governor and former vice-presidential candidate Sarah Palin. In September 2008, hackers used the name of the location where Palin and her husband met to gain access to her Yahoo e-mail account via the “secret question” password-recovery mechanism.
Palin and Green are not alone. In research to be presented at the IEEE Symposium on Security and Privacy this week, researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.
“Secret questions alone are not as secure as we would like our backup authentication to be,” says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. “Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.”
The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.
But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.
Backup-authentication schemes should have two important characteristics, Schechter says. They should be reliable, allowing a legitimate user to regain access to his or her account, and they should be secure, preventing unauthorized users from gaining access.
The study found that secret questions fall short on both accounts. Even for the most memorable questions–Yahoo’s, as it turned out–the participants forgot 16 percent of the answers within three to six months. Overall, one out of every five people forgot all of the answers to their secret questions, the researchers found.
“People tend to underestimate the likelihood of their forgetting some clever technique or glib answer,” Schechter says.
For most of a decade, security expert Bruce Schneier has criticized secret questions for their vulnerability to attack. In 2005, Schneier wrote, “I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it.”
Yet companies focused on reducing customer-service costs have introduced a back door into people’s accounts that is easier to circumvent than attempting to guess the password, he says. “The weird security thing that is being done is that there is a backup system to reset your password that is less secure than the system that it’s intended to support,” Schneier says.
Schechter agrees that researchers will have to find a completely different mechanism for backup authentication–secret questions just don’t cut it. “We would eventually like to see these questions go away,” he says. “Unfortunately, since we didn’t find many questions that were conclusively good, it’s hard to recommend simply changing questions.”
Schechter recommends not choosing questions that may have common answers. Schneier goes farther and says that he frequently just types in a random answer; if he needs to retrieve a password, he says, he will call the company.
Green, whose secret question asked the name of his high school, plans to use more secure e-mail in the future. And that may mean forgoing password retrieval. “Being able to reset my password on the site is nifty if I forget my password, but it sucks if someone else manages to figure out how to do it without my permission,” he says.