Personal questions undermine webmail security
By Matthew Sparkes
Posted on 24 Jun 2009 at 15:25
The personal security questions used by all four major webmail services are insecure, according to a paper from Microsoft Research and Carnegie Mellon University - but the company has done nothing to change the system it criticises.
"All four of the most popular webmail providers - AOL, Google, Microsoft, and Yahoo - rely on personal questions as the secondary authentication secrets used to reset account passwords," explains the paper.
"We ran a user study to measure the reliability and security of the questions used by all four webmail providers," it continues.
The experiment involved pairing up account holders with a partner, who had to guess the answer to various examples of the questions used by webmail services.
These partners, who were not well known to the account holder, were able to provide the correct answer almost one in five times. Conversely, one in five users forgot their own security questions within only six months.
For webmail services it's difficult to authenticate users who lose their passwords, as many have only one email address that acts as a hub for their online activity.
"While other web services may authenticate users who have forgotten their passwords via their email addresses, webmail services cannot always do so; many of their users employ their accounts as a primary email address," says the paper.
The two largest services tested here, Hotmail and Yahoo Mail, have a combined user base of over half a billion people, leaving a huge amount of accounts vulnerable.
Sarah Palin's Yahoo Mail account was hacked last year using the same personal question vulnerability detailed in the paper. That attack exposed personal emails belonging to the Republican vice-presidential candidate, including a draft of an email to the California Governor Arnold Schwarzenegger.
"The secret questions employed by the top four webmail services are not sufficiently reliable authenticators. The security of personal questions appears significantly
weaker than passwords," warns the paper.
Since being shown an advance copy of the paper, Yahoo has changed all nine of its previous personal questions, claim the authors.
However, GMail, AOL and Microsoft have failed to make any changes to their own questions. Microsoft was not available for comment at the time of writing.
From around the web
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Why virtualisation hasn't slowed the growth of data
- How to make Google AdWords work for your business
- The curse of sloppily written software
- Paying for your crimes with Bitcoin
- Behind the scenes: tech support for Formula 1
- The security risk of fat fingers
- Why Windows Phone 7 isn't quite ready for business
- When will Microsoft stop fiddling with Windows 8?
- Flash down the pan?
- Metro Style apps vs desktop applications
advertisement
Printed from www.pcpro.co.uk