Mum's maiden name not strong enough for password backup

Passwords are too weak and backup security questions aren't tough enough, either.

password

Using your mother's maiden name or your pet's name for backup to your password may not be all that secure, according to one researcher.

Many web services - especially webmail - use personal details as backup when a users forgets his or her password.

But such details are easy to look up online or can be found in public records, warned University of Cambridge security researcher Joseph Bonneau in his blog. And don't trust your friends most will have or be able to guess the information, too.

And that's just a small part of the problem. Research by Bonneau and University of Edinburgh researchers Mike Just and Greg Matthews showed it's statistically possible for attackers to just guess the answers.

"We're concerned with a trawling attacker, who will guess values like Smith,' Jones,' and Johnson' for a target's mother's maiden name, and then move on to other accounts if these don't work," Bonneau said.

"The frequencies of uncommon names like Zabielskis' are irrelevant because a trawling attacker will never try them," he said, adding such rare names might make the system appear more secure than it really is.

As most password backup systems ask for names of people, pets or places, the researchers looked at census data, pet registrations, and even "completely crawled" Facebook, grabbing 269 million full names.

He said using such data paired with the three guesses most sites allow before locking down an account gives about eight bits of effective security. "That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised," he wrote. "For an attacker who can make more than three guesses and wants to break into 50 per cent of available accounts, no distributions gave more than about 12 bits of effective security."

Some names were harder to guess than others, he noted, with South Korean names tougher than American names, female names tougher than male names, and pet names actually harder to guess than human names.

"Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security," he said.

The problem doesn't just affect websites using the system, either. "Unfortunately, because most websites rely on email when passwords fail, and email providers rely on personal knowledge questions, most web authentication is no more secure than personal knowledge questions," Bonneau warned.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
What are SSH keys?
cyber security

What are SSH keys?

7 May 2021
Google’s about to push everyone into two-factor authentication
Security

Google’s about to push everyone into two-factor authentication

6 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
Qualcomm modem flaw puts millions of Android users at risk
Google Android

Qualcomm modem flaw puts millions of Android users at risk

6 May 2021