The security mechanisms used to protect online accounts are inherently flawed, according to a new paper by researchers at Cambridge and Edinburgh universities.
Joseph Bonneau, Mike Just and Greg Matthews argue in a paper entitled What's in a name? (PDF) that security questions used to verify an account can often be beaten by simple guesswork or through some personal knowledge of the account holder.
"Despite their ubiquity, personal knowledge questions have received relatively little attention from the security community until recently," the paper said.
"User studies have demonstrated the ability of friends, family and acquaintances to guess answers correctly, while other research has found that some questions used have a tiny set of possible answers.
"Many common questions have also been shown to have answers readily available in public databases or online social networks."
The researchers looked at the type of security questions asked using data from a range of online service providers, including banks and financial institutions, as well as webmail services such as Hotmail, Gmail and Yahoo Mail.
One in three asked for a person's name, and one in five asked for a place name. The researchers said that, when faced with these questions and given three guesses, an attacker can compromise roughly one in 80 accounts.
The use of names is unwise because it is possible to identify and focus on the most common names in any given location. The name Smith is popular in the Western world, for example, while Kim is very common in Korea.
"Given names are a matter of fashion and vary in several interesting dimensions. In the countries studied, female names seem to provide slightly higher resistance to guessing than male names," said the paper.
"The diversity of forenames has been increasing slowly but steadily over the past six decades in the US. Curiously, pet names are slightly harder to guess than human names."
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC
'Notorious' Australian child hacker thought he had executed 'flawless' hack
The former employee says that Tesla fired him for bringing the accusations to management internally