Monday, February 08, 2010

Be careful when picking your passwords

Email accounts at risk from not-so-secret questions reports:

The "secret questions" used to secure online bank accounts and email services are worryingly easy to crack. So says Joesph Bonneau of the University of Cambridge, whose team has calculated the chances of an attacker correctly guessing secret answers.

Using data from sources such as national censuses and pet registries, the team calculated that if allowed three guesses, the norm for many websites, an attacker could correctly guess 1 in 80 answers.

That's too low to target a specific individual. But it is more than enough to allow a hacker to build software to compromise online accounts, such as webmail services, by attempting to guess questions in large volumes, says Bonneau.

For a "secret question" you might consider adding a secret phrase before or after the "right" answer. For example if the quesiton is what was the name of your first pet and the answer was "Trigger" you might always include something like 1492 so the computer would only accept Trigger1492. That way even if someone is able to mine your data they'll have a much harder time cracking your password.

(Hat tip: Instapundit)

Technorati tags: secret, passwords

No comments: