Questions which serve as security checks on websites need to be replaced by more complex tests to establish a person’s identity, say researchers.

A study has shown how easy it is to guess the answer to common questions, such as someone’s mother’s maiden name.

It found attackers will be able to break into 1 in 80 accounts if they get three chances to guess the answers to security questions.

“The numbers were worse than we thought,” said Joseph Bonneau, the lead researcher on the study.

Many websites, including those of banks, credit card firms, webmail providers and others, use the supplementary questions when changes are made to an account.

In the case of many internet service providers, they can be used to overwrite an existing password without knowing what it is.

Mr Bonneau, a security researcher at the University of Cambridge, said many of his compatriots had investigated the security of these questions.

One study by researchers from Microsoft and Carnegie Mellon looked at how easy it was for friends and family members to guess answers to an individual’s security questions. They found that 17 per cent of the answers could be guessed by those who knew a target.
 
Also, said Mr Bonneau, the information people use as answers might be widely known. For instance in the US marriage and birth records were held for a long time and many were viewable online, making it straightforward to find out useful data, he said.
 
“This assumes there is one account you want to break into and you are willing to spend a couple of hours finding out about this particular person,” he said.

Mr Bonneau and his colleagues, Mike Just and Greg Matthews from the University of Edinburgh, investigated how easy it was to stumble on the answer to a question if an attacker knew nothing about any of their potential victims.

“We measured how hard it was to guess answers,” said Mr Bonneau.

They found that an attacker would get an answer right every 80 accounts, if they were given three chances to try. Most webmail providers allow three attempts to get an answer right before they lock an account for a few hours or a day.
 
Mr Bonneau and his colleagues reached their conclusion after analysing 270 million pairs of first and last names culled from Facebook.

Many security researchers were now looking into ways to make the security questions tougher to guess. Some are considering making people answer three questions before they can re-set a password.

“The chance of guessing three things simultaneously is pretty low,” said Mr Bonneau.

Others, such as Google, were sending reset passwords by text message.