Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Study Shows "Secret Questions" Are Too Easily Guessed 303

Posted by kdawson from the name-of-your-late-great-aunt's-fifth-parakeet dept.
wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.
This discussion has been archived. No new comments can be posted.

Study Shows "Secret Questions" Are Too Easily Guessed More

Study Shows "Secret Questions" Are Too Easily Guessed

Comments Filter:

  • My question is: (Score:2, Informative)

    by dvh.tosomja ( 1235032 ) on Tuesday May 19, 2009 @05:29AM (#28008993)

    Who has more water that we expect to?

  • Re:Don't use them (Score:5, Informative)

    by zonky ( 1153039 ) on Tuesday May 19, 2009 @05:33AM (#28009019)
    Password safe [sourceforge.net] , add the question and give a randomly generator combination as the answer. Problem solved.

  • Re:Don't use them (Score:2, Informative)

    by Anonymous Coward on Tuesday May 19, 2009 @05:57AM (#28009185)

    I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

    The name of my first pet, a hamster, was

    Spotty'delete from secretquestions;--

  • Yesterday wants its news back (Score:3, Informative)

    by Opportunist ( 166417 ) on Tuesday May 19, 2009 @06:42AM (#28009373)

    I dimly remember I saw something like this on /. before...

    It's a no brainer. Or at least it should be. Most of those "secret" questions draw from a limited set of possible answers. Worse, ALL those answers will be found in a dictionary. Because they invariably ask for (*drumroll*) a real, usually English, word.

    Now, what do we tell people, what did we tell them for ages? DO NOT use words that can be found in a dictionary. Yet for the "secret answer" (which is in almost all cases as good as the real password) we ask for a word that can be found in one.

    Is it me or is this like, you know, STUPID?

    There is no "secure" word. Not even your pet's name. My first pet was called ;drop table *;, btw. Yeah, I'm such a geek... sorry 'bout your database, btw.

  • Re:Its a flawed concept (Score:4, Informative)

    by digitig ( 1056110 ) on Tuesday May 19, 2009 @07:19AM (#28009555)
    To be fair, most of the systems I have seen that have secret question type security don't let you in on the basis of the secret question, they email a replacement password to you, and only use the secret question to reduce DOS attacks and minimise the sending of plain-text passwords. Surely in that case it's only an issue if the cracker has already compromised your email account?

  • Re:Don't use them (Score:5, Informative)

    by baxissimo ( 135512 ) on Tuesday May 19, 2009 @10:18AM (#28011329)

    That's the Bible, Genesis 1:1.

Slashdot Top Deals

1 + 1 = 3, for large values of 1.

Close