Michael Zimmer.org

There’s been a flurry of news recently about an article from Microsoft and Carnegie Mellon University researchers showing that secret questions used to recover forgotten passwords aren’t so secret after all. As reported in Technology Review:

In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

…

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.

This is the same security flaw that allowed someone to hack into Sarah Palin’s e-mail account, and a student in my “Information Technology Ethics” class demonstrated the ease of hacking into an e-mail account by using information from a Facebook profile to correctly answer the “secret questions.”

While some companies are recognizing the limitations of secret questions (Ebay, for example, suggests using “incorrect or irrelevant” answers to their secret questions), it is hard not to agree with what Bruce Schneier pointed out years ago: if the answer to the secret question is much easier to guess than the password, and the information is much more public, there is little use for either.