Password Backup Tips Oxford

As most password backup systems ask for names of people, pets or places, the researchers looked at census data, pet registrations, and even "completely crawled" Facebook, grabbing 269 million full names.
Redstor Limited
0118 951 5200
St James' Wharf
Reading
Creative PC
01902 332741
530 Wolverhampton Road East
Wolverhampton
Toffa International
01902 650025
Technology Centre Glaisher Drive
Wolverhampton
Eclipse Database Consultants
01260 224606
Congleton Rd, Scholar Green
Stoke
Wachter Network Services Ltd
05601 163413
Unit 1 Headway Business Centre Knowles Lane
Bradford
ABC Data Recovery Ltd
0845-200 2845
Security House/Windsor St
Sheffield
T S Recovery
023 92667799
233 London Rd
Portsmouth
Data Communication Soloutions Ltd
01274 411194
34 Cyprus Av
Bradford
Palin-it
0800 955 4122
6 Swallow Road
Stoke
U S B
0114-267 7697
Royds Mill/Windsor St
Sheffield
Provided By:

Password Backup Tips

Using your mother’s maiden name or your pet’s name for backup to your password may not be all that secure, according to one researcher.

Many web services - especially webmail - use personal details as backup when a users forgets his or her password.

But such details are easy to look up online or can be found in public records, warned University of Cambridge security researcher Joseph Bonneau in his blog. And don’t trust your friends – most will have or be able to guess the information, too.

And that's just a small part of the problem. Research by Bonneau and University of Edinburgh researchers Mike Just and Greg Matthews showed it’s statistically possible for attackers to just guess the answers.

“We’re concerned with a trawling attacker, who will guess values like ‘Smith,’ ‘Jones,’ and ‘Johnson’ for a target’s mother’s maiden name, and then move on to other accounts if these don’t work,” Bonneau said.

“The frequencies of uncommon names like ‘Zabielskis’ are irrelevant because a trawling attacker will never try them,” he said, adding such rare names might make the system appear more secure than it really is.

As most password backup systems ask for names of people, pets or places, the researchers looked at census data, pet registrations, and even “completely crawled” Facebook, grabbing 269 million full names.

He said using such data paired with the three guesses most sites allow before locking down an account gives about eight bits of effective security. “That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised," he wrote. "For an attacker who can make more than three guesses and wants to break into 50 per cent of available accounts, no distributions gave more than about 12 bits of effective security.”

Some names were harder to guess than others, he noted, with South Korean names tougher than American names, female names tougher than male names, and pet names actually harder to guess than human names.

“Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security,” he said.

The problem doesn’t just affect websites using the system, either. “Unfortunately, because most websites rely on email when passwords fail, and email providers rely on personal knowledge questions, most web authentication is no more secure than personal knowledge questions,” Bonneau warned.

Author: Nicole Kobie

Read more from IT PRO: Mum's maiden name not strong enough for password backup