Personal questions undermine webmail security
By Matthew Sparkes
Posted on 24 Jun 2009 at 15:25
The personal security questions used by all four major webmail services are insecure, according to a paper from Microsoft Research and Carnegie Mellon University - but the company has done nothing to change the system it criticises.
"All four of the most popular webmail providers - AOL, Google, Microsoft, and Yahoo - rely on personal questions as the secondary authentication secrets used to reset account passwords," explains the paper.
"We ran a user study to measure the reliability and security of the questions used by all four webmail providers," it continues.
The experiment involved pairing up account holders with a partner, who had to guess the answer to various examples of the questions used by webmail services.
These partners, who were not well known to the account holder, were able to provide the correct answer almost one in five times. Conversely, one in five users forgot their own security questions within only six months.
For webmail services it's difficult to authenticate users who lose their passwords, as many have only one email address that acts as a hub for their online activity.
"While other web services may authenticate users who have forgotten their passwords via their email addresses, webmail services cannot always do so; many of their users employ their accounts as a primary email address," says the paper.
The two largest services tested here, Hotmail and Yahoo Mail, have a combined user base of over half a billion people, leaving a huge amount of accounts vulnerable.
Sarah Palin's Yahoo Mail account was hacked last year using the same personal question vulnerability detailed in the paper. That attack exposed personal emails belonging to the Republican vice-presidential candidate, including a draft of an email to the California Governor Arnold Schwarzenegger.
"The secret questions employed by the top four webmail services are not sufficiently reliable authenticators. The security of personal questions appears significantly
weaker than passwords," warns the paper.
Since being shown an advance copy of the paper, Yahoo has changed all nine of its previous personal questions, claim the authors.
However, GMail, AOL and Microsoft have failed to make any changes to their own questions. Microsoft was not available for comment at the time of writing.
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't
- Yes, I write down my passwords
- How to make money from apps
- Hack your own radio transmitter