In a recent study by Microsoft and Carnegie Mellon University, researchers have found that the answers to the secret questions we use on Web sites to verify and protect our identity are fairly easy to guess. In a study involving 130 people, 28 percent of people that the participants said were trusted parties were able to guess the answers to the supposedly secret questions those participants use. Even people not trusted by study participants had a 17 percent chance of guessing the correct answer to the secret questions. This research will be presented at the IEEE Symposium on Security and Privacy this week.
I think the problem goes much deeper. I made a quick list of accounts that the average person could conceivably have:
Let's face it, there could be many more and your situation may vary, but this is a good starting point. How do you remember the login and passwords for all of these accounts? Do you write them down? Do you use the same login and password for all of them?
Most people do rely on those secret questions. I have to say that I am not a fan of the "canned" secret questions. When you only offer a handful of questions, it increases an attacker's chances of guessing the correct answer. A quick Internet search on most people could reveal information that an attacker could use against them. I think the sites that allow you to create your own secret questions are far better. I would like to hear your opinion. Do you use the same questions for the majority of your accounts?
For more information on how to create better passwords, and how to create better password policies, see these documents available for download in the Knowledge Network: