Some webmail firms are sending reset passwords via text message
Questions used as security checks on websites need to be replaced by more complex tests to establish a person's identity, say researchers.
A study has shown how easy it is to guess the answer to common questions, such as someone's mother's maiden name.
It found attackers will be able to break into 1 in 80 accounts if they get three chances to guess answers.
"The numbers were worse than we thought," said Joseph Bonneau, the lead researcher on the study.
Many websites, including banks, credit card firms, webmail providers and others, use the supplementary questions when changes are made to an account.
In the case of many e-mail providers, they can be used to overwrite an existing password without knowing what it is.
Mr Bonneau, a security researcher at the University of Cambridge, said many other researchers had investigated the security of these questions.
One study by researchers from Microsoft and Carnegie Mellon looked at how easy it was for friends and family members to guess answers to security questions. They found that 17% of the answers could be guessed by those who knew a target.
Also, said Mr Bonneau, the information people use as answers might be widely known. For instance in the US marriage and birth records were held for a long time and many were viewable online, making it straightforward to find out useful data, he said.
"This assumes there is one account you want to break into and you are willing to spend a couple of hours finding out about this particular person," he said.
Searching online can reveal maiden names from wedding records
The work of Mr Bonneau and his colleagues, Mike Just and Greg Matthews from the University of Edinburgh, investigated how easy it was to stumble on the answer to a question if an attacker knew nothing about any of their potential victims.
"We measured how hard it was to guess answers," said Mr Bonneau.
They found that an attacker would get an answer right every 80 accounts, provided they got three chances to try. Most webmail providers allow three attempts to get an answer right before they lock an account for a few hours or a day.
"Asking what was the name of someone's first grade teacher seems like a secure choice," he said. "The problem is that there's a tonne of teachers out there named Mrs Smith."
Mr Bonneau and his colleagues reached their conclusion after analysing 270 million pairs of first and last names culled from Facebook.
Ask a friend
The tactic of guessing was likely to be used by those attacking web e-mail armed with a long list of addresses, said Mr Bonneau. Spammers and other hi-tech criminals regularly compile and trade long lists of e-mail addresses.
"They have the big list and most of them they will not get enough access to," he said.
"Webmail was never really designed for security but it is taking on a pretty important security role," he said. "Once you have an e-mail account you can take over a lot of other things with it."
Webmail firms could make it much harder for thieves with little effort, said Mr Bonneau.
"They can make guessing a lot harder if they shape the answers that they allow," he said. "Such as not letting you register Smith as an answer."
Many security researchers were now looking into ways to make the security questions tougher to guess. Some are considering making people answer three questions before they can re-set a password.
"The chance of guessing three things simultaneously is pretty low," said Mr Bonneau.
Others, such as Google, were sending reset passwords by text message.
Some were experimenting with making webmail users nominate five friends that would be contacted in the event of them forgetting their usual password. Only when they had contacted three and got information sent to them could the password be reset.
This might seem like a lot of work, said Mr Bonneau, but it also might encourage people to be more careful with the questions and answers they choose.