Boffins beef up password prompt security

gallery

A new system that improves the security of online prompt questions for web-based shopping has been unveiled by a group of scientists working at Rutgers University.

Most online shops and other secure areas currently ask relatively simple questions, such as “What was your mother's maiden name?” or “Where were you born?” for ID verification before sending out a password reminder.

But security experts say these questions represent a real security threat and need to be updated with questions that constantly change based on a user's digital history.

“We call them activity-based personal questions,” said Danfeng Yao, assistant professor of computer science in the Rutgers School of Arts and Sciences. “Sites could ask, ‘When was the last time you sent an e-mail?’ or, ‘What did you do yesterday at noon?’

“It's about using information that is much harder to obtain.”

Answering these questions is far harder for would-be hackers, the scientists claim, because the information is less widely available.

“There are several issues with the security of conventional secret questions,” Yao told IT PRO's sister site PC Pro.

“They are static and long-lived and do not usually change, so a user's answers may be gathered or deduced by people around the user. Public databases and personal profiles at social networking websites makes guessing these questions easier.”

Yao said she gave students in her lab several questions related to network activities, physical activities and opinion questions, and then told them to “attack” each other.

"We found that questions related to time are more robust than others,” she says. “Many guessed the answer to the question, ‘Who was the last person you sent e-mail to?’ but if we asked what time it was sent, it was much harder."

What happens when users forget what time they sent that email or where they had a meeting yesterday? “One approach is to create cues for events that will later be used, which would help the user remember the event later on. In addition, we use existing cognitive science knowledge to carefully select events that are specific to an individual and may cause flash-bulb memories.”

Security managers hoping to roll out the system may have to wait some time for a commercial product, according to the researchers. “We are currently developing a prototype system which we expect to be ready and available for testing by May 2010,” Yao said.

“The system has both server-side and client-side components, so we need to perform a substantial amount of testing on both security and memorability before we bring our solution to the market.”

Email to a friend

Print this page