It's no Secret

IT’S NO SECRET

Special Topics in Applied Security

{Stuart Schechter, A.J. Bernheim Brush} @ Microsoft ResearchSerge Egelman @ Carnegie Mellon University

Nuno Loureiro2009/11/26

Research Presentation

1

Measuring the security and reliabilityof authentication via secret questions

2009 30th IEEE Symposium on Security and Privacy

Thursday, November 26, 2009

Nuno LoureiroSpecial Topics in Applied Security

SUBJECT OF STUDY

• AOL, Gmail, Hotmail and Yahoo! webmails...

• rely on personal questions to reset account passwords

• But is it safe?

2Thursday, November 26, 2009


SUBJECT OF STUDY



SUMMARY

• Why using secret questions?• Motivation• Study• Memorability• Statistical Guessing• Guessing by Acquaintance• Security of User-written Questions• Improving Questions• Alternatives



WHY USING SECRET QUESTIONS?

• Most sites depend on email as a backup authenticator to reset passwords

• Webmail services cannot assume their users have an alternative email address as a backup authenticator.



MOTIVATION• Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via

her secret question

6

• First secret question was...

• Second question was... “where did you meet your spouse?”

“what is your birthdate?”



MOTIVATION

• Prior studies concluded:

7

• 33-39% of their answers guessed by spouses, family and close friends

• Participants forgot 20-22% of their own answers within 3 months



STUDY• Top four webmail providers: AOL, Google, Microsoft, Yahoo

• Examined real-world questions in use in Mar 2008

• Invited participants in pairs

• Asked them personal questions and to guess partners’ answers

• Measured guessing by untrusted acquaintances

• Statistical guessing attacks8



POOL

•4 cohorts - 130 participants

•First 3 cohorts (116 participants) were active (+3 logins/week) Hotmail users (+3 months old)

•Each participant invited a coworker, friend, or family member



MEMORABILITY:REMEMBER ANSWER TO OWN QUESTION?

First challenge was:

•Ask Hotmail users (3 cohorts) to reset their password using their personal question

•57% could not reset their password!



MEMORABILITY:REMEMBER ANSWER AFTER 6 MONTHS?

11

Answer within 5 guesses



STATISTICAL GUESSING

12

If it is among the 5 most popular answers provided by other participants (remember that participants were from the same metropolitan area)



GUESSING BY ACQUAINTANCE

13

Answer within 5 guesses



GUESSING BY ACQUAINTANCE

14

Curiosities:

•50% of Spouses failed to guess: “Where did you meet your spouse?”•28% of Spouses failed to guess: “Where were you born?”•50% of Fiances failed to guess: “Where were you born?”



SECURITY OF USER-WRITTEN QUESTIONS

15

• 24% vulnerable to attacks that require no personal knowledge• 23% vulnerable to family members



IMPROVING QUESTIONS

•Limit the user to a fixed threshold of responses. Responses could be penalized in proportion to their popularity. Should not be penalized for a response that is identical to a previous one (e.g. ‘Brooklyn’ and ‘Brooklyn, NY’)

•Eliminate questions that are statistically guessable >10%

•After login, ask user occasionally to answer personal question



ALTERNATIVES

•Send token to alternate email address

•SMS token to mobile phone

•Personal question only if user does not provide any of above



YAHOO!



GMAIL



SAPO


Nuno LoureiroSpecial Topics in Applied Security 21

QUESTIONS?

THANK YOU!


It's no Secret

Technology

Transcript of It's no Secret