Mum's maiden name not strong enough for password backup

9 Mar, 2010

Passwords are too weak and backup security questions aren't tough enough, either.

Using your mother’s maiden name or your pet’s name for backup to your password may not be all that secure, according to one researcher.

Many web services - especially webmail - use personal details as backup when a users forgets his or her password.

But such details are easy to look up online or can be found in public records, warned University of Cambridge security researcher Joseph Bonneau in his blog. And don’t trust your friends – most will have or be able to guess the information, too.

And that's just a small part of the problem. Research by Bonneau and University of Edinburgh researchers Mike Just and Greg Matthews showed it’s statistically possible for attackers to just guess the answers.

“We’re concerned with a trawling attacker, who will guess values like ‘Smith,’ ‘Jones,’ and ‘Johnson’ for a target’s mother’s maiden name, and then move on to other accounts if these don’t work,” Bonneau said.

“The frequencies of uncommon names like ‘Zabielskis’ are irrelevant because a trawling attacker will never try them,” he said, adding such rare names might make the system appear more secure than it really is.

As most password backup systems ask for names of people, pets or places, the researchers looked at census data, pet registrations, and even “completely crawled” Facebook, grabbing 269 million full names.

He said using such data paired with the three guesses most sites allow before locking down an account gives about eight bits of effective security. “That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised," he wrote. "For an attacker who can make more than three guesses and wants to break into 50 per cent of available accounts, no distributions gave more than about 12 bits of effective security.”

Some names were harder to guess than others, he noted, with South Korean names tougher than American names, female names tougher than male names, and pet names actually harder to guess than human names.

“Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security,” he said.

The problem doesn’t just affect websites using the system, either. “Unfortunately, because most websites rely on email when passwords fail, and email providers rely on personal knowledge questions, most web authentication is no more secure than personal knowledge questions,” Bonneau warned.