Scientists propose overhaul for password prompts
By Stewart Mitchell
Posted on 11 Nov 2009 at 08:34
Computer scientists at Rutgers University in the United States have revealed a system for improving prompt-question security when online shoppers forget passwords.
Most online shops and other secure areas currently ask relatively simple questions, such as “What was your mother's maiden name?” or “Where were you born?” for ID verification before sending out a password reminder.
But security experts say these questions represent a real security threat and need to be updated with questions that constantly change based on a user's digital history.
“We call them activity-based personal questions,” said Danfeng Yao, assistant professor of computer science in the Rutgers School of Arts and Sciences. “Sites could ask, ‘When was the last time you sent an e-mail?’ or, ‘What did you do yesterday at noon?’
“It's about using information that is much harder to obtain.”
Answering these questions is far harder for would-be hackers, the scientists claim, because the information is less widely available.
“There are several issues with the security of conventional secret questions,” Yao told PC Pro.
“They are static and long-lived and do not usually change, so a user's answers may be gathered or deduced by people around the user. Public databases and personal profiles at social networking websites makes guessing these questions easier.”
Yao said she gave students in her lab several questions related to network activities, physical activities and opinion questions, and then told them to “attack” each other.
"We found that questions related to time are more robust than others,” she says. “Many guessed the answer to the question, ‘Who was the last person you sent e-mail to?’ but if we asked what time it was sent, it was much harder."
What happens when users forget what time they sent that email or where they had a meeting yesterday? “One approach is to create cues for events that will later be used, which would help the user remember the event later on. In addition, we use existing cognitive science knowledge to carefully select events that are specific to an individual and may cause flash-bulb memories.”
Security managers hoping to roll out the system may have to wait some time for a commercial product, the researchers say. “We are currently developing a prototype system which we expect to be ready and available for testing by May 2010,” says Yao. “The system has both server-side and client-side components, so we need to perform a substantial amount of testing on both security and memorability before we bring our solution to the market.”
From around the web
There is a reason passwords are easy to hack
Because people are terrible at remembering.
"What did you do at noon yesterday?" - Unless the correct answer is "I don't know" then I can see a lot of reset accounts.
A system of random questions with one word answers would be better, with the server collecting a list of answers it can choose at random.
By cheysuli on 11 Nov 2009 
How does the system know what I did at noon yesterday? Do I have to update it at 12.05pm?
If it's for a site where I've forgotten the password it's probably a site I don't use often so they won't have any up-to-date data on me to use. And the older it is, the harder it will be for me to remember.
By Phoomeister on 11 Nov 2009
Stephen Fry's screwed, thanks to his Twitter addiction the whole world knows what he was doing at 12pm yesterday.
By Phoomeister on 11 Nov 2009
Simple use password managers. I have one and now when I get asked for my credit card special password I can use the password manager to fill in the details. I have security dongles with rolling pins and together I am pretty safe. Though I would wish some websites had longer passwords. I have some with 4 digit numerical pins.
By Amnesia10 on 11 Nov 2009
Simple use password managers. I have one and now when I get asked for my credit card special password I can use the password manager to fill in the details. I have security dongles with rolling pins and together I am pretty safe. Though I would wish some websites had longer passwords. I have some with 4 digit numerical pins.
By Amnesia10 on 11 Nov 2009
Yeah right....
How can these guys be called scientists? What’s science got to do with Security? Did they write some questions down and then put them in the flame of a bunsen burner in order to see which were consumed faster thus proving their weak security ;)
Another example of an idea with no thought to its implementation. I have an idea too, let’s all live on Mars....oh wait how do we do that!??!
To be fair I could see this working (a bit) on some sites, for instance Amazon could ask “what did you last purchase” but even so what would happen if I was to overhear someone talking about their latest purchase of Buffy the Vampire Slayer (yes I’m a fan) and I also knew their email address or how to get hold of it, could I then get access to their account?!! I would hope not. What happens if the box set gets lost in the post? There’s too many if’s and maybe’s for my liking.
Yes I agree these questions would improve security but only as an addition to existing questions and techniques, they should not be used as a replacement.
By anthonysjones on 11 Nov 2009
Lie
If you want to make it hard for people to guess the answer to a question such as mother's maiden name why not lie. You'll know the answer but no one else will.
By Mullins2003 on 11 Nov 2009
@Mullins2003 - Yes, but knowing me, I'd forget the lie too.
I'm with Amnesia10 - use a password manager - that way you can use complex passwords for each site you visit.
By pbryanw on 11 Nov 2009
Wow- this has already been done!!
Do these guys not check the product market? There is already a GREAT product that overcomes this issue- "Password Reset PRO" from http://www.sysoptools.com - It is a web based self service portal that uses image-based ID enrollment and validation (very secure and easy to remember for the enrolling users). Basically, no lame / outdated Q/A stuff. This product uses AD 100% with no modifications required, no wierd database installs, uses IIS for the web tier, and is highly compliant / secure. Anyway, just wanted to share that a good product ALREADY EXISTS!
By Tech22 on 11 Nov 2009
Another waste of grant money
This looks like a total waste of university time and valuable grant money. Why do we need "scientists" and so-called security experts to tell us this? It's common sense.
If I'd gotten a science project like that from an 11 year old I'd have told them to go away and make me a backing soda volcano on the grounds that it would be the more challenging endeavour.
By Perfectblue97 on 11 Nov 2009
This is why I use password manager
Personally I use Sticky Password, because I think it is the best, but there are also other password managers and also free ones like Keepass.
But the Sticky Password is very easy and integrated.
http://www.stickypassword.com
By FrederickJohnberg on 12 Nov 2009
Sounds as though this bright idea is to ask questions to which neither party knows the answer. Brilliant!
By luffbr on 12 Nov 2009
Personally I prefer not to complicate the life of users by trying to brainstorm a good answer for the password prompt questions.
It is more practical to get companies, which conduct online shop activities, to implement solutions based on Identity and Access Management (IAM) as most of the financial industry does already.
A correct IAM implementation must include Authentication, Authorization, User Management and Central User Repository to provide the right access to the right people in order to protect the information and guarantee absolute
confidentiality.
There must be a system in place that does not have to rely on users’ good or bad answers which could bring to dangerous results.
Rossano Ferraris, CA ISBU Research Team, Internet Security Intelligence
By Rossano on 13 Nov 2009
advertisement
- How to install Internet Explorer 9
- Maintaining and supporting IE9
- Plan your deployment
- Creating a custom browser package
- Search in corporate environments
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Amazon Kindle Fire review: first look
- Lytro light-field camera: first look
- CES: Why booth babes are bad marketing
- Ice Cream Sandwich on the Transformer Prime review: first look
- Samsung Galaxy Tab 7.7: first-look review of the best tablet at CES
- 3D printing: undeniably cool, but lacks a killer app
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk