May 18 2009 |  |
Microsoft and Carnegie Mellon University are presenting some research at the IEEE Symposium on Security and Privacy. Researchers look at a very common authentication technology with a critical eye and ask, 'just how effective are those secret questions that we fill out for online banking, email, etc?'
The research suggests that these secret questions are not very reliable. In their study, which involved 130 participants, the researchers discovered that 28% of people who knew (and were trusted by) the participant could guess his/her 'secret answers'. 17% of people who the participant did not trust could guess his/her 'secret answers'.
Certain kinds of questions are less secure than others. For example, researchers found that 45% of 'untrusted' people could guess where a participant was born, and 40% could correctly guess the participant's pet's name.
So, what do you think? Are secret questions still a good tool for backup authentication? Or, should the security industry work on finding a better backup method?
TrackBack URI for this entry 
Subscribe to this comment's feed 
written by Jada, May 26, 2009
-
- +0
-
-
written by Greg H., May 27, 2009
I haven't talked to you in ages - how are work/life treating you?
Frankly, I'm in the same boat as you - my 'secret' answers are not terribly secret. However, I read some interesting ideas on Schneier on Security. The consensus there was that you've got to treat a secret answer like a secondary password and follow all of the same password rules. For example, you should avoid using dictionary words; use letters, numbers and symbols; and regularly update your answers.
So, I guess that my Mother's maiden name is jadhfklh8983i&6d - and here I thought that 'Hluska' was a mouthful. :-)
Take care and thanks for commenting!
G
-
- +0
-
-
