A Blog by Jonathan Low

 

Jun 8, 2012

Your Pet's Name or Your Mother's Birthplace or...: What Is the Most Secure Password Recovery Question?


There really is a best answer.

Because there are automated guessing programs designed to figure this stuff out. So there are people who spend their time either trying to figure out your password or spend their time attempting to protect your password. They are both compensated for this effort and may make more money than you do, as strange as that may be.

But let's face it, it is no stranger than your smart phone delivering voice messages three days late or spam catchers tagging your grandmother's emails as a threat. In fact, the recent theft of 6.5 million LinkedIn passwords underscores the economic opportunity. It may also suggest that there are too many teens on summer vacation requiring closer parental supervision, but that is a topic for another day.

The primary problem is not the diabolical cleverness of hackers, but rather the demonstrable laziness of most internet users. Because the vast majority use the same password for everything. Which is certainly convenient, arguably the major motivating factor in all internet use. And on top of that, there is data now on which are the most popular types of passwords (as a species, we are nothing if not suggestable)and many of them are derivatives of easily gleaned information like place of birth, mother's maiden name and favorite sports team.

We won't spoil the fun by giving away the answer: it is contained in the body of the article. But we will suggest applying a little creativity to the task - and then recommend doing something totally analog: write it down. JL

Brian Palmer reports in Slate:
A hacker claims to have accessed one of Mitt Romney’s personal email accounts on Tuesday by guessing the answer to the security question, “What is your favorite pet?” Sarah Palin’s email account was hacked in 2008 by an attacker who correctly guessed where the former Alaska governor met her husband (Wasilla High, of course). Which password recovery question should you choose to protect your account?
Your father’s middle name. That might not be the hardest question for a hacker to guess, but according to researchers at Microsoft and Carnegie Mellon University it has the advantage of being: 1) easy to remember for months or years; 2) relatively hard to find on the Internet; and 3) difficult for automated guessing programs to suss out. In 2009, the computer scientists tested these qualities in the password-recovery questions used by four leading webmail services (AOL, Google, Microsoft, and Yahoo!). “What is your father’s middle name?” performed well in the study, but wouldn't be so useful for celebrities like Palin and Romney, whose parents’ full names are widely available online. (Romney’s father’s middle name was Wilcken, and Palin’s father’s middle name is Richard.) The other top questions were: “What was your first phone number?,” “Who was your favorite teacher,” and “Who is your favorite singer?”

Even the best password recovery questions can be pretty easy for cyber-intruders to answer. In the 2009 study, more than 40 percent of account-holders' acquaintances were able to guess the answers to “What is your pet’s name?,” “Where were you born?,” “Where did you grow up?,” and “What is your favorite sports team?” Anonymous hackers can improve their chances by figuring out where the account-holder lives—an elementary task in the age of social media.

Preference questions—e.g. "What is your favorite color?"—are more resistant to social media research, but might still be vulnerable to probabilistic guessing. You could guess almost anyone’s favorite color in four or five tries, and there aren’t that many professional sports teams in the United States. Preferences aren’t memorable, either. More than one in three participants forgot their answers to “Who was your childhood hero?” and “Who is your favorite historical person?” within a few months. Your favorite song, restaurant, or film can also change in the time it takes you to forget an email password.

You might be tempted to use a nonsense answer to throw hackers off. (Q: What is your favorite town? A: Asparagus.) This is a bad idea. You choose a security question when you set up an account, and likely won’t think about it again for months or years. Most people forget silly answers in that time. Certain email systems allow users to write their own questions instead, but these have their own problems.

Internet users aren’t very imaginative and tend to fall back on the same old questions, like “What was your first car?” A few participants asked to generate their own questions for the 2009 study picked binaries, like “water or pop?” or asked questions that were easily guessed within five tries, such as “What is my blood type?” or “Who should the next president be?” Some people, apparently unaware that anyone could view the question, revealed personal information (e.g. “What is my sobriety date?”).

0 comments:

Post a Comment