Study Shows "Secret Questions" Are Too Easily Guessed [Slashdot]
I'm sure many of you have signed up for a web service at some point and have been asked to supply the answer to a "secret question" that you'll be asked if you ever forget your password. Those questions might be, "What was the name of your first pet?" or "What street did you live on growing up?" Though fairly common among security backup systems for password retrieval, one study presented at the IEEE Symposium on Security and Privacy in Oakland, California details how insecure the secret question methodology really is.
Microsoft and Carnegie Mellon University conducted a study of 130 people's secret questions and found that for people that were known and trusted by the study's participants, they were able to guess the answers to standard "secret questions" a stunning 28 percent of the time. Even more surprising - people unknown to the study participants guessed the answers 17 percent of the time.
Though the study group was fairly small, the results are enlightening about the usefulness of so-called secret questions. For many fact-based questions - like "What was the make and model of your first car?" - it's likely that one's close friends are just as aware of this answer as you are. The next time you're asked to supply the answer to a secret question, here are some tips for making it more secure.
Comments