Title :
It´s No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions
Author :
Schechter, Stuart ; Brush, A. J Bernheim ; Egelman, Serge
Author_Institution :
Microsoft Res., Redmond, WA, USA
Abstract :
All four of the most popular webmail providers - AOL, Google, Microsoft, and Yahoo! - rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What´s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.
Keywords :
Internet; security of data; AOL; Google; Microsoft; Yahoo; authentication reliability; geographic homogeneity; limited formal scrutiny; secret questions; webmail providers; Authentication; Brushes; Electronic mail; Laboratories; Postal services; Privacy; Radio access networks; Security; Statistics; Web services; Authentication;
Conference_Titel :
Security and Privacy, 2009 30th IEEE Symposium on
Conference_Location :
Berkeley, CA
Print_ISBN :
978-0-7695-3633-0
