Rutgers computer scientists are testing a new tactic that could strengthen online security by making it harder to crack security questions. "We call them activity-based personal questions," said Danfeng Yao, assistant professor of computer science in the Rutgers School of Arts and Sciences.

"Sites could ask you, 'When was the last time you sent an e-mail?' Or, 'What did you do yesterday at noon?'" she added. Yao and her students have been testing how resistant these activity questions are to "attack," - computer security lingo for when an intruder answers them correctly and gains access to personal information such as e-mails or to do online shopping or banking.

Early studies suggest that questions about recent activities are easy for legitimate users to answer, but harder for potential intruders to find or guess, according to Yao. "We want the question to be dynamic," she said. "The questions you get today will be different from the ones you would get tomorrow," she added.

Yao said she gave four students in her lab a list of questions related to network activities, physical activities and opinion questions, and then told them to "attack" each other.

"We found that questions related to time are more robust than others. Many guessed the answer to the question, 'Who was the last person you sent e-mail to?' But fewer were able to guess, 'What time did you send your last e-mail?'" she said.

Yao explained that it should not be difficult for an online service provider to formulate these kinds of security questions by looking at its users' e-mail, calendar activities or previous transactions.

Computers would have to use natural language processing tools to synthesise understandable questions and analyse the answers for accuracy. Yao is proposing further studies to determine the practicality of the new approach and the best way to implement it.