The document summarizes a study that examined the security and reliability of using secret questions for password resets on major webmail services. The study found that over half of users could not remember the answers to their own secret questions and over 20% could not remember the answers after 6 months. Acquaintances could correctly guess answers to secret questions for over 30% of users, and statistical guessing could reveal over 10% of answers. The study suggests limiting secret question responses and providing alternative authentication options like SMS or tokens to improve security.

1. Special Topics in Applied Security
IT’S NO SECRET Measuring the security and reliability
of authentication via secret questions
{Stuart Schechter, A.J. Bernheim Brush} @ Microsoft Research
Serge Egelman @ Carnegie Mellon University
2009 30th IEEE Symposium on Security and Privacy
Research Presentation
Nuno Loureiro
2009/11/26
1
Thursday, November 26, 2009

2. SUBJECT OF STUDY
• AOL, Gmail, Hotmail and Yahoo! webmails...
• rely on personal questions to reset account passwords
• But is it safe?
Special Topics in Applied Security Nuno Loureiro 2
Thursday, November 26, 2009

3. SUBJECT OF STUDY
Special Topics in Applied Security Nuno Loureiro 3
Thursday, November 26, 2009

4. SUMMARY
• Why using secret questions?
• Motivation
• Study
• Memorability
• Statistical Guessing
• Guessing by Acquaintance
• Security of User-written Questions
• Improving Questions
• Alternatives
Special Topics in Applied Security Nuno Loureiro 4
Thursday, November 26, 2009

5. WHY USING SECRET QUESTIONS?
• Most sites depend on email as a backup authenticator to reset
passwords
• Webmail services cannot assume their users have an
alternative email address as a backup authenticator.
Special Topics in Applied Security Nuno Loureiro 5
Thursday, November 26, 2009

6. MOTIVATION
• Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via
her secret question
• First secret question was... “what is your birthdate?”
• Second question was... “where did you meet your spouse?”
Special Topics in Applied Security Nuno Loureiro 6
Thursday, November 26, 2009

7. MOTIVATION
• Prior studies concluded:
• 33-39% of their answers guessed by spouses,
family and close friends
• Participants forgot 20-22% of their own answers
within 3 months
Special Topics in Applied Security Nuno Loureiro 7
Thursday, November 26, 2009

8. STUDY
• Top four webmail providers: AOL, Google, Microsoft, Yahoo
• Examined real-world questions in use in Mar 2008
• Invited participants in pairs
• Asked them personal questions and to guess partners’
answers
• Measured guessing by untrusted acquaintances
• Statistical guessing attacks
Special Topics in Applied Security Nuno Loureiro 8
Thursday, November 26, 2009

9. POOL
• 4 cohorts - 130 participants
• First 3 cohorts (116 participants) were active (+3 logins/week)
Hotmail users (+3 months old)
• Each participant invited a coworker, friend, or family member
Special Topics in Applied Security Nuno Loureiro 9
Thursday, November 26, 2009

10. MEMORABILITY:
REMEMBER ANSWER TO OWN QUESTION?
First challenge was:
• Ask Hotmail users (3 cohorts) to reset their password using their
personal question
• 57% could not reset their password!
Special Topics in Applied Security Nuno Loureiro 10
Thursday, November 26, 2009

11. MEMORABILITY:
REMEMBER ANSWER AFTER 6 MONTHS?
Answer within 5 guesses
Special Topics in Applied Security Nuno Loureiro 11
Thursday, November 26, 2009

12. STATISTICAL GUESSING
If it is among the 5 most popular answers provided by other
participants (remember that participants were from the same metropolitan area)
Special Topics in Applied Security Nuno Loureiro 12
Thursday, November 26, 2009

13. GUESSING BY ACQUAINTANCE
Answer within 5 guesses
Special Topics in Applied Security Nuno Loureiro 13
Thursday, November 26, 2009

14. GUESSING BY ACQUAINTANCE
Curiosities:
•50% of Spouses failed to guess: “Where did you meet your spouse?”
•28% of Spouses failed to guess: “Where were you born?”
•50% of Fiances failed to guess: “Where were you born?”
Special Topics in Applied Security Nuno Loureiro 14
Thursday, November 26, 2009

15. SECURITY OF USER-WRITTEN QUESTIONS
• 24% vulnerable to attacks that require no personal knowledge
• 23% vulnerable to family members
Special Topics in Applied Security Nuno Loureiro 15
Thursday, November 26, 2009

16. IMPROVING QUESTIONS
• Limit the user to a fixed threshold of responses. Responses could
be penalized in proportion to their popularity. Should not be
penalized for a response that is identical to a previous one (e.g.
‘Brooklyn’ and ‘Brooklyn, NY’)
• Eliminate questions that are statistically guessable >10%
• After login, ask user occasionally to answer personal question
Special Topics in Applied Security Nuno Loureiro 16
Thursday, November 26, 2009

17. ALTERNATIVES
•Send token to alternate email address
•SMS token to mobile phone
•Personal question only if user does not provide any of above
Special Topics in Applied Security Nuno Loureiro 17
Thursday, November 26, 2009

18. YAHOO!
Special Topics in Applied Security Nuno Loureiro 18
Thursday, November 26, 2009

19. GMAIL
Special Topics in Applied Security Nuno Loureiro 19
Thursday, November 26, 2009

20. SAPO
Special Topics in Applied Security Nuno Loureiro 20
Thursday, November 26, 2009

21. THANK YOU!
QUESTIONS?
Special Topics in Applied Security Nuno Loureiro 21
Thursday, November 26, 2009