Printed from www.pcpro.co.uk
Personal questions undermine webmail security
Posted on 24 Jun 2009 at 15:25
The personal security questions used by all four major webmail services are insecure, according to a paper from Microsoft Research and Carnegie Mellon University - but the company has done nothing to change the system it criticises.
"All four of the most popular webmail providers - AOL, Google, Microsoft, and Yahoo - rely on personal questions as the secondary authentication secrets used to reset account passwords," explains the paper.
"We ran a user study to measure the reliability and security of the questions used by all four webmail providers," it continues.
The experiment involved pairing up account holders with a partner, who had to guess the answer to various examples of the questions used by webmail services.
These partners, who were not well known to the account holder, were able to provide the correct answer almost one in five times. Conversely, one in five users forgot their own security questions within only six months.
For webmail services it's difficult to authenticate users who lose their passwords, as many have only one email address that acts as a hub for their online activity.
"While other web services may authenticate users who have forgotten their passwords via their email addresses, webmail services cannot always do so; many of their users employ their accounts as a primary email address," says the paper.
The two largest services tested here, Hotmail and Yahoo Mail, have a combined user base of over half a billion people, leaving a huge amount of accounts vulnerable.
Sarah Palin's Yahoo Mail account was hacked last year using the same personal question vulnerability detailed in the paper. That attack exposed personal emails belonging to the Republican vice-presidential candidate, including a draft of an email to the California Governor Arnold Schwarzenegger.
"The secret questions employed by the top four webmail services are not sufficiently reliable authenticators. The security of personal questions appears significantly
weaker than passwords," warns the paper.
Since being shown an advance copy of the paper, Yahoo has changed all nine of its previous personal questions, claim the authors.
However, GMail, AOL and Microsoft have failed to make any changes to their own questions. Microsoft was not available for comment at the time of writing.
Author: Matthew Sparkes
advertisement
- Why Britain's watchdogs have fewer teeth than goldfish
- Tabbed documents: how to make Office 2010 great
- Outlook 2010 People Pane – does it spell death to Xobni
- Microsoft Outlook 2010 screenshots
- Co-Authoring in Word 2010 and SharePoint Foundation 2010
- Microsoft Outlook 2010 screenshots: Backstage view
- Flash 10.1: Developing for Desktop and Device
- Microsoft Office 2010 screenshots: Recover unsaved items
- Microsoft Word 2010 screenshots: Text Effects
- Microsoft Word 2010: inserting screenshots
- Getting to grips with Microsoft's IT Health Environment Scanner
- Virtualise your servers
- The changing face of travel gadgets
- Build your own distributed file system
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
advertisement
