Special Topics in Applied Security          IT’S NO SECRET                                                       Measuring...
SUBJECT OF STUDY    • AOL, Gmail, Hotmail             and Yahoo! webmails...    • rely        on personal questions to res...
SUBJECT OF STUDY                                 Special Topics in Applied Security   Nuno Loureiro   3Thursday, November ...
SUMMARY    • Why    using secret questions?    • Motivation    • Study    • Memorability    • Statistical Guessing    • Gu...
WHY USING SECRET QUESTIONS?    • Most   sites depend on email as a backup authenticator to reset        passwords    • Web...
MOTIVATION  • Sarah  Palin’s Yahoo! Mail account was hacked in Sep 2008 via    her secret question  • First secret questio...
MOTIVATION  • Prior            studies concluded:            • 33-39%     of their answers guessed by spouses,            ...
STUDY  • Top          four webmail providers: AOL, Google, Microsoft, Yahoo  • Examined                  real-world questi...
POOL    • 4 cohorts - 130 participants    • First 3 cohorts (116 participants) were active (+3 logins/week)        Hotmail...
MEMORABILITY:    REMEMBER ANSWER TO OWN QUESTION?        First challenge was:         • Ask Hotmail users (3 cohorts) to r...
MEMORABILITY:          REMEMBER ANSWER AFTER 6 MONTHS?           Answer within 5 guesses                              Spec...
STATISTICAL GUESSING   If it is among the 5 most popular answers provided by other   participants (remember that participa...
GUESSING BY ACQUAINTANCE   Answer within 5 guesses                              Special Topics in Applied Security   Nuno ...
GUESSING BY ACQUAINTANCE   Curiosities:     •50% of Spouses failed to guess: “Where did you meet your spouse?”     •28% of...
SECURITY OF USER-WRITTEN QUESTIONS    • 24% vulnerable to attacks that require no personal knowledge    • 23% vulnerable t...
IMPROVING QUESTIONS    • Limit the user to a fixed threshold of responses. Responses could        be penalized in proportio...
ALTERNATIVES    •Send token to alternate email address    •SMS token to mobile phone    •Personal question only if user do...
YAHOO!                              Special Topics in Applied Security   Nuno Loureiro   18Thursday, November 26, 2009
GMAIL                              Special Topics in Applied Security   Nuno Loureiro   19Thursday, November 26, 2009
SAPO                              Special Topics in Applied Security   Nuno Loureiro   20Thursday, November 26, 2009
THANK YOU!                                                       QUESTIONS?                              Special Topics in...
Upcoming SlideShare
Loading in …5
×

It's no Secret

702 views
632 views

Published on

Measuring the security and reliability of authentication via secret questions.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
702
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

It's no Secret

  1. 1. Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1Thursday, November 26, 2009
  2. 2. SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2Thursday, November 26, 2009
  3. 3. SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3Thursday, November 26, 2009
  4. 4. SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4Thursday, November 26, 2009
  5. 5. WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5Thursday, November 26, 2009
  6. 6. MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6Thursday, November 26, 2009
  7. 7. MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7Thursday, November 26, 2009
  8. 8. STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8Thursday, November 26, 2009
  9. 9. POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9Thursday, November 26, 2009
  10. 10. MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10Thursday, November 26, 2009
  11. 11. MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11Thursday, November 26, 2009
  12. 12. STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12Thursday, November 26, 2009
  13. 13. GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13Thursday, November 26, 2009
  14. 14. GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14Thursday, November 26, 2009
  15. 15. SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15Thursday, November 26, 2009
  16. 16. IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16Thursday, November 26, 2009
  17. 17. ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17Thursday, November 26, 2009
  18. 18. YAHOO! Special Topics in Applied Security Nuno Loureiro 18Thursday, November 26, 2009
  19. 19. GMAIL Special Topics in Applied Security Nuno Loureiro 19Thursday, November 26, 2009
  20. 20. SAPO Special Topics in Applied Security Nuno Loureiro 20Thursday, November 26, 2009
  21. 21. THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21Thursday, November 26, 2009

×