Security questions that allow web users to access online accounts if they forget their passwords can easily be answered by hackers willing to spend time surfing the web, say researchers at the University of Cambridge.
A study conducted by the university found that hackers can successfully access one in 80 accounts if given three attempts to provide answers such as the maiden name of the web user.
Joseph Bonneau from the University of Cambridge, told the BBC: "We measured how hard it was to guess answers. The numbers were worse than we thought."
Bonneau suggested many of the answers to the popular security questions could be found online using social networking sites.
"This assumes there is one account you want to break into and you are willing to spend a couple of hours finding out about this particular person."
Bonneau said more complex security questions were needed, or in some cases, web users should be required to submit answers to three questions to access an account.
"The chance of guessing three things simultaneously is pretty low."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.