Tue, Jun 23 02:56 PM
What's the name of the school you attended? What is the first name of your favourite cousin? Well, email services often protect accounts with these kind of security questions in case holders forget their password.
Now, a new study in the US has revealed just how easy the answers of such security questions are for other people to guess -- in fact these facts make life simple for hackers, the 'New Scientist' reported.
Researchers at Microsoft have based their findings on an analysis of an experiment, involving 32 email users.
Acquaintances of the email users - people with whom they wouldn't normally share their login details - were asked to try and guess the answers users assigned to protect their accounts.
The volunteers managed to guess correctly a fifth of the time, raising questions over how secure the commonly used system is, the study found.
However, a second study by software giant Microsoft has suggested a more secure alternative - relying on trusted friends to vouch for you if an account becomes locked.
"Securing webmail is important because email accounts typically allow an attacker access to other accounts, for example, eBay and Amazon. If I can recover these passwords via your email account then I can spend the balance of your credit card on flat-screen TVs," Ross Anderson of Cambridge University was quoted as saying.
Under the new system proposed by Stuart Schechter and Rob Reeder at Microsoft, users select several "trustees".
If a user becomes locked out of their account their trustees receive a message asking them to download a "recovery code". The user must collect codes from multiple trustees to unlock their account.
A group of 19 Hotmail users trialed the system and 17 successfully regained access to their Hotmail account. That 90-per-cent success rate compares favourably to 80-per-cent success rate of the secret question system, say Reeder.
In the trial, most users recovered their accounts within two days. However, when the researchers got users' acquaintances to ask the trustees to give up the codes, many of them did so.
Reeder said this attack could be avoided by getting account holders to advise trustees of their role in advance. In the trial, trustees simply received an email containing the code out of the blue.
Rather than replacing the standard secret questions approach, the new method should be an optional choice for users, according to Anderson, who agrees that it is important to train trustees to be appropriately security conscious.
But the idea has promise, said Reeder, pointing out that it is not a new idea to have people use third parties to back up their identity.