Your SlideShare is downloading. ×
It's no Secret
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

It's no Secret

510

Published on

Measuring the security and reliability of authentication via secret questions.

Measuring the security and reliability of authentication via secret questions.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
510
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Special Topics in Applied Security IT’S NO SECRET Measuring the security and reliability of authentication via secret questions {Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research Serge Egelman @ Carnegie Mellon University 2009 30th IEEE Symposium on Security and Privacy Research Presentation Nuno Loureiro 2009/11/26 1Thursday, November 26, 2009
  • 2. SUBJECT OF STUDY • AOL, Gmail, Hotmail and Yahoo! webmails... • rely on personal questions to reset account passwords • But is it safe? Special Topics in Applied Security Nuno Loureiro 2Thursday, November 26, 2009
  • 3. SUBJECT OF STUDY Special Topics in Applied Security Nuno Loureiro 3Thursday, November 26, 2009
  • 4. SUMMARY • Why using secret questions? • Motivation • Study • Memorability • Statistical Guessing • Guessing by Acquaintance • Security of User-written Questions • Improving Questions • Alternatives Special Topics in Applied Security Nuno Loureiro 4Thursday, November 26, 2009
  • 5. WHY USING SECRET QUESTIONS? • Most sites depend on email as a backup authenticator to reset passwords • Webmail services cannot assume their users have an alternative email address as a backup authenticator. Special Topics in Applied Security Nuno Loureiro 5Thursday, November 26, 2009
  • 6. MOTIVATION • Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question • First secret question was... “what is your birthdate?” • Second question was... “where did you meet your spouse?” Special Topics in Applied Security Nuno Loureiro 6Thursday, November 26, 2009
  • 7. MOTIVATION • Prior studies concluded: • 33-39% of their answers guessed by spouses, family and close friends • Participants forgot 20-22% of their own answers within 3 months Special Topics in Applied Security Nuno Loureiro 7Thursday, November 26, 2009
  • 8. STUDY • Top four webmail providers: AOL, Google, Microsoft, Yahoo • Examined real-world questions in use in Mar 2008 • Invited participants in pairs • Asked them personal questions and to guess partners’ answers • Measured guessing by untrusted acquaintances • Statistical guessing attacks Special Topics in Applied Security Nuno Loureiro 8Thursday, November 26, 2009
  • 9. POOL • 4 cohorts - 130 participants • First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old) • Each participant invited a coworker, friend, or family member Special Topics in Applied Security Nuno Loureiro 9Thursday, November 26, 2009
  • 10. MEMORABILITY: REMEMBER ANSWER TO OWN QUESTION? First challenge was: • Ask Hotmail users (3 cohorts) to reset their password using their personal question • 57% could not reset their password! Special Topics in Applied Security Nuno Loureiro 10Thursday, November 26, 2009
  • 11. MEMORABILITY: REMEMBER ANSWER AFTER 6 MONTHS? Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 11Thursday, November 26, 2009
  • 12. STATISTICAL GUESSING If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area) Special Topics in Applied Security Nuno Loureiro 12Thursday, November 26, 2009
  • 13. GUESSING BY ACQUAINTANCE Answer within 5 guesses Special Topics in Applied Security Nuno Loureiro 13Thursday, November 26, 2009
  • 14. GUESSING BY ACQUAINTANCE Curiosities: •50% of Spouses failed to guess: “Where did you meet your spouse?” •28% of Spouses failed to guess: “Where were you born?” •50% of Fiances failed to guess: “Where were you born?” Special Topics in Applied Security Nuno Loureiro 14Thursday, November 26, 2009
  • 15. SECURITY OF USER-WRITTEN QUESTIONS • 24% vulnerable to attacks that require no personal knowledge • 23% vulnerable to family members Special Topics in Applied Security Nuno Loureiro 15Thursday, November 26, 2009
  • 16. IMPROVING QUESTIONS • Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’) • Eliminate questions that are statistically guessable >10% • After login, ask user occasionally to answer personal question Special Topics in Applied Security Nuno Loureiro 16Thursday, November 26, 2009
  • 17. ALTERNATIVES •Send token to alternate email address •SMS token to mobile phone •Personal question only if user does not provide any of above Special Topics in Applied Security Nuno Loureiro 17Thursday, November 26, 2009
  • 18. YAHOO! Special Topics in Applied Security Nuno Loureiro 18Thursday, November 26, 2009
  • 19. GMAIL Special Topics in Applied Security Nuno Loureiro 19Thursday, November 26, 2009
  • 20. SAPO Special Topics in Applied Security Nuno Loureiro 20Thursday, November 26, 2009
  • 21. THANK YOU! QUESTIONS? Special Topics in Applied Security Nuno Loureiro 21Thursday, November 26, 2009

×