Feeds

Password reset questions dead easy to guess

Your pet's name is Poochie? You're pwned

Secure remote control for conventional and virtual desktops

Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers.

In the paper What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions (pdf), Joseph Bonneau of the University of Cambridge and two colleagues from the University of Edinburgh show how hackers stand a one in 80 chance of guessing common security questions such as someone's mother's maiden name or their first school within three attempts.

The academics reached their conclusion after analysing 270 million first and last names pairs extracted from Facebook. Online research about a subject or a pre-existing relationship makes the chances of figuring out the answer to password reset questions still easier.

Sarah Palin's Yahoo! webmail account was famously hacked during the 2008 presidential election using publicly available information to determine the answers to webmail password reset questions. The research led by Bonneau shows that even a brute force dictionary attack with no prior knowledge or background research stands an unacceptably high chance of success.

Bonneau, whose research currently focuses on security and privacy in social networks, said that online services need to move away from password reset questions towards more secure approaches, such as setting multiple questions. The issue is important because access to webmail accounts provides a gateway to other even more sensitive information, such as a possible mechanism to break into online banking accounts.

"Asking what was the name of someone's first grade teacher seems like a secure choice," Bonneau told the BBC. "The problem is that there's a tonne of teachers out there named Mrs Smith."

Sending reset passwords via text messages to a mobile phone already associated with an account represents another step towards improved security. ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.