Mum's maiden name not strong enough for password backup

Passwords are too weak and backup security questions aren't tough enough, either.

password

Using your mother's maiden name or your pet's name for backup to your password may not be all that secure, according to one researcher.

Many web services - especially webmail - use personal details as backup when a users forgets his or her password.

But such details are easy to look up online or can be found in public records, warned University of Cambridge security researcher Joseph Bonneau in his blog. And don't trust your friends most will have or be able to guess the information, too.

And that's just a small part of the problem. Research by Bonneau and University of Edinburgh researchers Mike Just and Greg Matthews showed it's statistically possible for attackers to just guess the answers.

"We're concerned with a trawling attacker, who will guess values like Smith,' Jones,' and Johnson' for a target's mother's maiden name, and then move on to other accounts if these don't work," Bonneau said.

"The frequencies of uncommon names like Zabielskis' are irrelevant because a trawling attacker will never try them," he said, adding such rare names might make the system appear more secure than it really is.

As most password backup systems ask for names of people, pets or places, the researchers looked at census data, pet registrations, and even "completely crawled" Facebook, grabbing 269 million full names.

He said using such data paired with the three guesses most sites allow before locking down an account gives about eight bits of effective security. "That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised," he wrote. "For an attacker who can make more than three guesses and wants to break into 50 per cent of available accounts, no distributions gave more than about 12 bits of effective security."

Some names were harder to guess than others, he noted, with South Korean names tougher than American names, female names tougher than male names, and pet names actually harder to guess than human names.

"Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security," he said.

The problem doesn't just affect websites using the system, either. "Unfortunately, because most websites rely on email when passwords fail, and email providers rely on personal knowledge questions, most web authentication is no more secure than personal knowledge questions," Bonneau warned.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

1Password Business review: First choice for business travel and guest accounts
Security

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021
Keeper Security review: Keeps corporate password management simple
Software

Keeper Security review: Keeps corporate password management simple

9 Jul 2021
Dashlane review: A very web-focused password manager
Security

Dashlane review: A very web-focused password manager

2 Jul 2021
LastPass review: Great to administrate, a little clunky to use
Software

LastPass review: Great to administrate, a little clunky to use

25 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021