Claims made that personal knowledge questions are no longer viable for email

A recent blog claimed that as long as general questions are used as a ‘forgot password' backup, most web authentication is no more secure than personal knowledge questions.

Joseph Bonneau from the University of Cambridge wrote that with incidents such as Sarah Palin's webmail account being hacked and the taking of Twitter documents from a Gmail account, the questions and answers for forgotten passwords are easy to look up online, often found in public records, and easy for friends and acquaintances to guess.

Bonneau said: “If an attacker wants to do no target-specific work, but just guess common answers for a large number of accounts using population-wide statistics, how well can they do?”

He said that using guessing metrics, his team could provide a few theorems that prove in a strong way that high entropy can give you no security at all against a trawling attacker in the real world.

He said: “Using these new metrics, we examined a range of statistics on answer distributions to common personal knowledge questions. It turns out the majority of personal knowledge questions ask for proper names of people, pets and places, and the rest are trivially insecure (e.g. 'What is my favourite day of the week?').

“We collected government census data, pet registration records, and also completely crawled Facebook's people directory. Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, as this triggers an account lock-down), none of the name distributions we looked at gave more than eight bits of effective security except for full names.

“That is, about at least one in 256 guesses would be successful, and one in 84 accounts compromised. For an attacker who can make more than three guesses and wants to break into 50 per cent of available accounts, no distributions gave more than about 12 bits of effective security.”

He concluded that there is a strong result that anything named by humans is dangerous to use as a secret, and combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security.

Commenting, Simon Godfrey, director of security solutions at CA, said that there are solutions such as the hard token, but software-based authentication is available and cost effective. “This prevents man-in-the-middle (MITM) and it eradicates that and it is easy to use. The passwords issues are on a one-time code and that is very user friendly,” he said.

David Ting, CTO at Imprivata, claimed that with multiple passwords to remember, users tend to resort to three common coping mechanisms – the ‘post-it note password' where log in details are recorded and kept in a ‘safe place', password sharing with other users, or using simple details such as pet names or family names which are weak and easily guessed.

He said: “Security conscious organisations across a range of industry sectors have tried to combat ‘weak' passwords with policies mandating complex passwords, meaning that a combination of alphanumeric digits are required in a sequence that is at least eight characters long. These complex passwords also need to be changed regularly and cannot be repeated. This is an attempt to thwart hackers that may otherwise gain access to corporate networks based on simple guesswork.

“However, the more difficult the password is to remember, the higher the likelihood that users will resort to one of the three coping tactics mentioned above, which of course, defeats the purpose of strong passwords.”

Sign up to our newsletters