In research to be presented at the IEEE Symposium on Security and Privacy [virginia.edu] this week, researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure.
In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question. Read the full story [technologyreview.com]
*Composite graphic from visualpharm.com