It seems that the tried and tested method for users who have forgotten their passwords, the “security question” or, as it’s sometimes known, “secret question,” could well be the weakest link in online security.

The whole 'secret question' thing has always seemed a little strange...

According to research carried out by a team from the University of Edinburgh, one in eighty accounts could be broken into if attackers were given three guesses at the answer to a security question. Indeed, this number is even higher than the researchers had initially supposed, which in itself is fairly worrying. Indeed, the more you look into the research, the worse things get.

According to the BBC, the researchers were attempting to ascertain the answers to these questions for accounts belonging to people they had no prior knowledge of. Essentially, they sat down and started routing through any available information in an effort to find relevant snippets that might help answer questions about a user. Apparently, with a couple of hours research, it becomes a lot easier to break into an account, though of course the researchers are quick to point out that,

“This assumes there is one account you want to break into and you are willing to spend a couple of hours finding out about this particular person.”

Still, the figure of one in eighty guesses being correct without any prior knowledge is interesting, and a little worrying. As Bonneau, the brains behind the research, is happy to point out, the fact is that a lot of apparently secure questions aren’t nearly as secure as they might seem. Naming a user’s first teacher might seem like a daunting task, but, he says, “The problem is that there’s a lot of teachers out there named Mrs Smith.”

It’s an interesting issue, and one that’s long been one of the weak points of web-based services’ security. The real question is, how many other options are there that are as easy to use for those who do genuinely forget their password?