Some major sites on the Web want to know: What was the last name of your kindergarten teacher, the name of your dog, your mother’s maiden name, the brand of your first car or in what year did you graduate from high school?
These are some of the commonly asked “fallback questions” that Web sites pose to users who need to reset their passwords. Some are just as difficult to remember as the password itself. Others are easily guessable (here’s a list of common pet names, for example.)
Internet companies want us to pick complex, hard-to-guess passwords. As memory-challenged Web addicts, many of us are hopeless at the task. So we resort to punishing our brains to recall which fallback question we selected when registering on the site, and what, darnit, was the name of that kindergarten teacher anyway?
Markus Jakobsson, principal scientist at the Palo Alto Research Center, and his colleagues, think there should be a better way. In a talk at Security and Human Behavior workshop here in Boston this week, Mr. Jakobsson posited that most of these fallback authentication mechanisms either confound the user or ask for information that an attacker could easily obtain by accessing public records (or a social networking or genealogy site, for that matter).
Mr. Jakobsson and two colleagues have proposed an interesting alternative called Blue Moon Authentication (because you only forget your password once in a blue moon, ideally.) While registering for a site, users are asked to select from a long list things they like and dislike (punk music, golf, southern food, for example). If they forget their password, they return to the site and are presented with the list of items they selected. Then they have to specify whether they like or dislike those things – a quick personality test. Forget about plumbing the depths of your brain; just be yourself. “It turns out very few people have a hard time remembering who they are,” Mr. Jakobsson said.
In a research study of 423 college students, the group honed their questions and determined that the probability that an attacker can answer all the questions accurately was less than one percent. The chances of a legitimate user failing their own personality test was close to zero (although whether people’s choices will change over several years is an unanswered question.)
Mr. Jakobsson says that a major Silicon Valley company has completed testing the Blue Moon system and is planning on introducing to their North American user base later this year. If it takes off, you can safely forget the name of your kindergarten teacher.
Comments are no longer being accepted.