IT | Security

How Secret are your Secret Questions?

By: Absolute Team | 5/27/2009

Just how "secret" are your "secret questions"? You know, when you sign up for many websites, they have a password-retrieval system that allows you to use a pre-set question, or a question of your own.

Most of the time, the secret questions we tend to gravitate towards are easy - things like "What's your mother's maiden name?" or "What's your pet's name?". We'll remember those answers fairly easily... but others may figure them out just as easily.

Research presented by Microsoft and Carnegie Mellon University at the IEEE Symposium on Security and Privacy this week indicates that 28% of people surveyed (130 ppl surveyed) could guess the correct answers to other people's secret questions if they "knew and were trusted" by them. For those without such a close tie, there was still a 17% chance that the answer to the question could be guessed.

"Secret questions alone are not as secure as we would like our backup authentication to be," says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. "Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords."

This study doesn't even take into account a hacker who may be willing to take the time to dig up information about you! So, ask yourself, how "secret" are the answers to your questions?

Answers that require only a little personal knowledge to guess should be considered unsafe. Those questions could include "What's your favorite sports team?" or "Where were you born?"

The study found that memorable questions still pose a risk to legitimate users. The study found that 16% of the participants forgot the answers to their secret questions 3-6 months later, if memorable, and 1 in 5 will forget all the answers to their secret questions.

Bruce Schneier, a security expert, says that he'll often type in a random answer to a security question and will call the company if he needs to retrieve a password.

Via technology review