Page last updated at 12:02 GMT, Monday, 8 March 2010

Weak security ID questions put e-mail at risk

Mobile phone, BBC
Some webmail firms are sending reset passwords via text message

Questions used as security checks on websites need to be replaced by more complex tests to establish a person's identity, say researchers.

A study has shown how easy it is to guess the answer to common questions, such as someone's mother's maiden name.

It found attackers will be able to break into 1 in 80 accounts if they get three chances to guess answers.

"The numbers were worse than we thought," said Joseph Bonneau, the lead researcher on the study.

Guess list

Many websites, including banks, credit card firms, webmail providers and others, use the supplementary questions when changes are made to an account.

In the case of many e-mail providers, they can be used to overwrite an existing password without knowing what it is.

Mr Bonneau, a security researcher at the University of Cambridge, said many other researchers had investigated the security of these questions.

One study by researchers from Microsoft and Carnegie Mellon looked at how easy it was for friends and family members to guess answers to security questions. They found that 17% of the answers could be guessed by those who knew a target.

Also, said Mr Bonneau, the information people use as answers might be widely known. For instance in the US marriage and birth records were held for a long time and many were viewable online, making it straightforward to find out useful data, he said.

"This assumes there is one account you want to break into and you are willing to spend a couple of hours finding out about this particular person," he said.

Sign for wedding chapel, BBC
Searching online can reveal maiden names from wedding records

The work of Mr Bonneau and his colleagues, Mike Just and Greg Matthews from the University of Edinburgh, investigated how easy it was to stumble on the answer to a question if an attacker knew nothing about any of their potential victims.

"We measured how hard it was to guess answers," said Mr Bonneau.

They found that an attacker would get an answer right every 80 accounts, provided they got three chances to try. Most webmail providers allow three attempts to get an answer right before they lock an account for a few hours or a day.

"Asking what was the name of someone's first grade teacher seems like a secure choice," he said. "The problem is that there's a tonne of teachers out there named Mrs Smith."

Mr Bonneau and his colleagues reached their conclusion after analysing 270 million pairs of first and last names culled from Facebook.

Ask a friend

The tactic of guessing was likely to be used by those attacking web e-mail armed with a long list of addresses, said Mr Bonneau. Spammers and other hi-tech criminals regularly compile and trade long lists of e-mail addresses.

"They have the big list and most of them they will not get enough access to," he said.

"Webmail was never really designed for security but it is taking on a pretty important security role," he said. "Once you have an e-mail account you can take over a lot of other things with it."

Webmail firms could make it much harder for thieves with little effort, said Mr Bonneau.

"They can make guessing a lot harder if they shape the answers that they allow," he said. "Such as not letting you register Smith as an answer."

Many security researchers were now looking into ways to make the security questions tougher to guess. Some are considering making people answer three questions before they can re-set a password.

"The chance of guessing three things simultaneously is pretty low," said Mr Bonneau.

Others, such as Google, were sending reset passwords by text message.

Some were experimenting with making webmail users nominate five friends that would be contacted in the event of them forgetting their usual password. Only when they had contacted three and got information sent to them could the password be reset.

This might seem like a lot of work, said Mr Bonneau, but it also might encourage people to be more careful with the questions and answers they choose.

Print Sponsor

New front for cybercrime battle
15 Feb 10 |  Business
Hacktivists turn to web attacks
10 Feb 10 |  Technology
Pressure mounts to phase out IE6
02 Feb 10 |  Technology
Secret mobile phone codes cracked
29 Dec 09 |  Technology
Millions tricked by 'scareware'
19 Oct 09 |  Technology
Online thieves step up bank raids
30 Sep 09 |  Technology
Microsoft launches free security
29 Sep 09 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Sign in

BBC navigation

Copyright © 2020 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific