Password reminder questions are posing a risk to internet users, according to research from Edinburgh and Cambridge universities.
In a whitepaper, entitled “What’s in a name?”, researchers claim that security systems in place to protect online accounts are inherently flawed, claiming that many passwords can often be guessed with just the simplest knowledge about the account holder.
The report specifically highlights “security questions” used to verify users who have forgotten passwords or login credentials, a system used by some of the world’s biggest online names including eBay, Google and Yahoo.
“Despite their ubiquity, personal knowledge questions have received relatively little attention from the security community until recently,” the paper said.
“User studies have demonstrated the ability of friends, family and acquaintances to guess answers correctly, while other research has found that some questions used have a tiny set of possible answers.
“Many common questions have also been shown to have answers readily available in public databases or online social networks.”
The researchers looked at the type of security questions asked using data from a range of online service providers, including banks and financial institutions, as well as webmail services such as Hotmail, Gmail and Yahoo Mail.
One in three asked for a person’s name, and one in five asked for a place name. The researchers said that, when faced with these questions and given three guesses, an attacker can compromise roughly one in 80 accounts. This was increased when names were used as security keys, given the popularity of certain names in particular parts of the world, such as Smith in the Western world or Kim in Korea.
“Given names are a matter of fashion and vary in several interesting dimensions. In the countries studied, female names seem to provide slightly higher resistance to guessing than male names,” said the paper.
“The diversity of forenames has been increasing slowly but steadily over the past six decades in the US. Curiously, pet names are slightly harder to guess than human names.”