Password resets are a dodgy business
Web site logins need to offer a careful balance between security and customer friendliness. Unfortunately it seems providing customers with password reset facilities compromises security
A joint presentation between Microsoft Research and Carnegie Mellon University, on Wednesday at the IEEE Symposium on Security and Privacy in Oakland, California concluded that the best and most elaborate login system is not much use if it provides an easily exploited back door. The researchers looked at the current mechanisms for resetting passwords, and found that, in particular the so-called "secret question", for example, favourite colour, pet, or elementary school, represents a glaring security hole.
Of all persons questioned who knew and were trusted by the 130 test subjects 28 per cent were able to guess the correct answers. Worse yet, even people completely unknown to the test subjects still had a 17 per cent chance of guessing "secret" answers.
Microsoft researcher Stuart Schechter, one of the authors of the study, says frankly that the technique is not as secure as they would expect of a backup authentication system. A further defect is that this approach isn't reliable enough to ensure that users actually do recover their passwords: they've often simply forgotten the answers.
- It's no secret, the Microsoft conference paper.