/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsWAHSINGTON, USA: Where there is Web, there is a hacker – in this age of information revolution the adage can be redrafted this way. And to save your email accounts from the hacker menace, the service providers ask you to answer some 'secret' questions, in the hope that such secrets are confined to you only.
But, a recent study by researchers at Microsoft Research in Redmond, Washington, US, reveals that the answers of such security questions are for other people to guess.
The study conducted by Stuart Schechter, A. J. Bernheim Brush – both from Microsoft Research – and Serge Egelman of Carnegie Mellon University, says all the major email service providers like AOL, Google, Microsoft, and Yahoo! rely on personal questions as the secondary authentication secrets used to reset account passwords.
The security of these questions has received limited formal scrutiny, almost all of which predates webmail.
The study was conducted among the acquaintances of 32 webmail users, people with whom they would not normally share their login details.
These acquaintances were asked to try and guess the answers users assigned to protect their accounts. The volunteers managed to guess correctly nearly a fifth of the time, raising questions over how secure the commonly used system is.
“Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17 per cent of their answers. Participants forgot 20 per cent of their own answers within six months,” the study said.
“What’s more, 13 per cent of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool,” it added.
However, a second Microsoft study suggests a more secure alternative: relying on trusted friends to vouch for you if an account becomes locked.
Under the new system proposed by Stuart Schechter and Rob Reeder, users select several “trustees”. If a user becomes locked out of his/her account these trustees receive a message asking them to download a “recovery code”. The user must collect codes from multiple trustees to unlock their account.
Securing webmail is important because email accounts typically allow an attacker access to other accounts, for example, eBay and Amazon, points out Ross Anderson, a security engineer from Cambridge University, UK, because it is possible to request password reminders that will be sent to the compromised account.
"If I can recover these passwords via your email account then I can spend the balance of your credit card on flat-screen TVs," a New Scientist report quoted him as saying.
Hackers can break open webmail accounts by guessing the password, the study said.
Public awareness of the potential weaknesses of personal authentication questions reached new heights when 2008 Republican vice presidential nominee Sarah Palin’s Yahoo! Mail account was compromised via her question, it pointed out.
So what do you think? Is the answer to your 'secret' question a secret? Or an open secret?