New Scientist reports on a study that shows how bad “secret questions” are at protecting your accounts:

What’s your secret question? Your mother’s maiden name? Your first pet? For many people, facts like these are all that protect their email and other accounts should they forget their password.

Now a new study (pdf) by researchers at Microsoft Research in Redmond, Washington, US, reveals just how easy the answers of such security questions are for other people to guess.

Acquaintances of 32 webmail users — people with whom they would not normally share their login details — were asked to try and guess the answers users assigned to protect their accounts. The volunteers managed to guess correctly nearly a fifth of the time, raising questions over how secure the commonly used system is.

Of course, the study doesn’t “raise” these questions: many of us in the computer security business have been railing against this stuff for years, and I noted it in my regular blog two years ago. But the study provides documentation of the problem, with statistics to back up our arguments.

If you have to use a “security question”, consider my advice from that 2007 item, and treat the answer not as the real answer to a question, but as a second password:

What might not be obvious, though, even with the maiden name thing, is that you don’t have to tell them the truth. It’s a password. So when you hear, “What’s your mother’s maiden name?”, mentally turn that into, “Please give me an alternative password for your account, in case you forget the other one.” And instead of saying, “Johnson”, say something like, “Jules Verne, green cheese”. Yeah, they’ll probably respond, “Say what?”, but just insist on it and make them put it in their records.

The New Scientist article makes another valuable point, quoting Ross Anderson of Cambridge University: that because online services often use your email address as a secure way to contact you, your email account is a particularly critical one to protect. When I was reminded of that, I changed the password on my email account from one that already was probably better than yours, to one that’s better still.

As an alternative to the “mother’s maiden name” thing, Microsoft suggests something similar to the “web of trust” that’s used with some systems of security certificates. Instead of picking a “security question”, you designate a set of people you know and trust. If you forget your password and request access, the service gives recovery tokens to those you designated. You collect some number of those tokens from them, and the service accepts that as evidence of your identity.

If you’re careful to pick trustworthy friends to designate, that really sounds like a good scheme.[1] I hope it catches on.

[1] The only real drawback I can see is that your designated friends will all know when you need your password reset. If that happens a lot, you might find it embarrassing. (It also means you can’t recover access to your account with a single message or phone call, but that’s probably a good thing, from a security point of view.)