Password reminders: hard to remember, but easy to hack
May 20, 2009
Forgetting which password you used for a rarely used shopping site can be a pain, one that’s often made worse by the fallback authentication method. If you’re like me, you’re often stumped by which of your past pets you considered your favorite two years ago, or whether you put a "the" in front of your favorite sports franchise when first registering. Those sorts of failures should be worth it, since they add an extra layer of security to the password recovery process.
Except they don’t.
That’s the conclusion of a study that will be presented this week at the IEEE Symposium on Security & Privacy, which looked at the backup security questions used by a variety of webmail services.
The study was a joint effort involving researchers at Carnegie Mellon University and Microsoft Research; the latter organization is hosting a copy of the study. The authors focused on webmail for a number of reasons. For one, securing mail accounts against use by spammers is an ongoing challenge for service providers. Webmail services are also exceptionally sensitive to these backup authentication methods, since they have no guarantees that a user will have a second e-mail address at which to receive reauthentication instructions. Finally, people often keep personal information in their webmail accounts, leaving it vulnerable to hacking, as a certain Alaskan politician is now well aware.
So, the researchers recruited a number participants through a population of subjects maintained by Microsoft Research, and had them bring along a coworker, friend, or family member to two test sessions (there were a total of 130 participants). To induce serious participation, a variety of raffle tickets and gift certificates were provided. The subjects were asked to answer a series of questions taken from webmail services, and given the opportunity to guess what their companions answered, both with and without the opportunity to research them on the Web.
At the follow up visits, which occurred three to six months later, the failure rate was about what you’d expect, in the area of 20-25 percent, depending on how stringent the validation is. Ironically, that’s about the same rate as people were able to provide their companion’s personal information, like town of birth or pet’s name. The researchers broke this latter figure down according to whether a person would trust their companion to have the password anyway; this made some difference, as trusted individuals got the information right in over a quarter of the cases, but those that weren’t trusted still got it right over 15 percent of the time.
Realistically, it’s not much of a surprise that some relevant personal information could be harvested from information on Facebook and Flickr pages. The real worry is that a large percentage of the answers could be guess purely based on statistics. Some of this information is geographical—knowing where a person’s from makes it a bit easier to predict their answer to questions about their favorite town, place of birth, or favorite sports team. Others, like favorite book or historic figure, are simply measures of popularity. The same presumably goes for things like high school mascots, where lions and tigers and bears (oh my!) are probably over-represented. In all of these cases (and a few others), over 10 percent of the participants provided identical answers to these questions.
Google gives its users the chance to write their own questions, but that didn’t seem to improve matters much. Many of the participants chose things like eye color or blood type, which have a limited number of reasonable answers, and are subject to random guessing.
Perhaps the most disheartening thing about the study, however, was the fact that it shouldn’t have needed to be performed. The authors cite two studies that appeared in the 1990s and focused on the use of personal information for identity verification, and both saw failure rates in the same neighborhood as this study. Those who forget the past…
This post has been written by John Timmer on May 19, 2009 9:59 PM couresy of arstechnica.com.