Personal questions undermine webmail security
By Matthew Sparkes
Posted on 24 Jun 2009 at 15:25
The personal security questions used by all four major webmail services are insecure, according to a paper from Microsoft Research and Carnegie Mellon University - but the company has done nothing to change the system it criticises.
"All four of the most popular webmail providers - AOL, Google, Microsoft, and Yahoo - rely on personal questions as the secondary authentication secrets used to reset account passwords," explains the paper.
"We ran a user study to measure the reliability and security of the questions used by all four webmail providers," it continues.
The experiment involved pairing up account holders with a partner, who had to guess the answer to various examples of the questions used by webmail services.
These partners, who were not well known to the account holder, were able to provide the correct answer almost one in five times. Conversely, one in five users forgot their own security questions within only six months.
For webmail services it's difficult to authenticate users who lose their passwords, as many have only one email address that acts as a hub for their online activity.
"While other web services may authenticate users who have forgotten their passwords via their email addresses, webmail services cannot always do so; many of their users employ their accounts as a primary email address," says the paper.
The two largest services tested here, Hotmail and Yahoo Mail, have a combined user base of over half a billion people, leaving a huge amount of accounts vulnerable.
Sarah Palin's Yahoo Mail account was hacked last year using the same personal question vulnerability detailed in the paper. That attack exposed personal emails belonging to the Republican vice-presidential candidate, including a draft of an email to the California Governor Arnold Schwarzenegger.
"The secret questions employed by the top four webmail services are not sufficiently reliable authenticators. The security of personal questions appears significantly
weaker than passwords," warns the paper.
Since being shown an advance copy of the paper, Yahoo has changed all nine of its previous personal questions, claim the authors.
However, GMail, AOL and Microsoft have failed to make any changes to their own questions. Microsoft was not available for comment at the time of writing.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
