IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Mum's maiden name not strong enough for password backup

Passwords are too weak and backup security questions aren't tough enough, either.

password

Using your mother's maiden name or your pet's name for backup to your password may not be all that secure, according to one researcher.

Many web services - especially webmail - use personal details as backup when a users forgets his or her password.

But such details are easy to look up online or can be found in public records, warned University of Cambridge security researcher Joseph Bonneau in his blog. And don't trust your friends most will have or be able to guess the information, too.

And that's just a small part of the problem. Research by Bonneau and University of Edinburgh researchers Mike Just and Greg Matthews showed it's statistically possible for attackers to just guess the answers.

"We're concerned with a trawling attacker, who will guess values like Smith,' Jones,' and Johnson' for a target's mother's maiden name, and then move on to other accounts if these don't work," Bonneau said.

"The frequencies of uncommon names like Zabielskis' are irrelevant because a trawling attacker will never try them," he said, adding such rare names might make the system appear more secure than it really is.

As most password backup systems ask for names of people, pets or places, the researchers looked at census data, pet registrations, and even "completely crawled" Facebook, grabbing 269 million full names.

He said using such data paired with the three guesses most sites allow before locking down an account gives about eight bits of effective security. "That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised," he wrote. "For an attacker who can make more than three guesses and wants to break into 50 per cent of available accounts, no distributions gave more than about 12 bits of effective security."

Some names were harder to guess than others, he noted, with South Korean names tougher than American names, female names tougher than male names, and pet names actually harder to guess than human names.

"Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security," he said.

The problem doesn't just affect websites using the system, either. "Unfortunately, because most websites rely on email when passwords fail, and email providers rely on personal knowledge questions, most web authentication is no more secure than personal knowledge questions," Bonneau warned.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
NordPass teams up with insurance provider Cowbell Cyber to improve security awareness
cyber security

NordPass teams up with insurance provider Cowbell Cyber to improve security awareness

18 Feb 2022
NCA donates 225 million passwords to Have I Been Pwned
cyber security

NCA donates 225 million passwords to Have I Been Pwned

21 Dec 2021
Top 200 most common passwords of 2021 revealed
cyber security

Top 200 most common passwords of 2021 revealed

10 Dec 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022