Now Reading
Security Questions aren’t secure: A Google study finds

Security Questions aren’t secure: A Google study finds

by AshwinMay 25, 2015

We often write articles about Online Security, because of the evolving changes in the web standards.

Most internet users will be familiar with the concept of security questions.

These are secret phrases, used by online services, especially email services, to help users to recover access to an account, in case of forgotten passwords.

Users can choose one such question for their account, and provide their own answer, any answer to it.  The answer can be easy to remember or even totally irrelevant to the question. But just how secure are security questions?

The folks at Google, conducted a research on this. The Mountain View company says it analyzed millions of secret questions, and answers for the questions, for millions of account recovery claims fot its own services. The purpose of the study was to find out if the security questions were hacker-proof. And guess what?

Security questions aren’t secure:

The answer to secret questions are the issue here, which make the account recovery mechanism insecure and unreliable. Answers to security questions are mostly easy to remember ones, or somewhat secure. But it isn’t both in all cases.

Easy answers are insecure:

The answers that are easy to remember aren’t secure. That of course is stating the obvious, because these answers would be too easy to guess. I mean, if the secret answer to What is your favorite food? is Cake or French Fries, it is ridiculous. Anyone can guess it because those are common foods, and also way too obvious and too relevant to the question. Google says that easy answers are usually publicly available or even well known in certain regions, like a Family name.

Allow me to quote Google’s findings here:

  • With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question “What is your favorite food?” (it was ‘pizza’, by the way)

False answers aren’t smart either:

If you thought that providing a totally irrelevant, aka a false answer to a scurity question, is a smart idea. Not so fast. Apparently many people do this, and end up having identical answers. Even if the answers were secure, these  answers made things tricky.

An example for questions which had false answers is “What is your phone number?”. Google says that these false answers actually increased the chances of accounts being compromised, due to the fact that they were common “false” answers.

Difficult answers don’t solve this issue:

Difficult answers literally make things difficult, because they aren’t easy to remember, thus making the whole recovery mechanism a moot point. It is not easy to remember ridiculous stuff like your old library card number, bank number, etc

Google’s findings say that:

  • Some of the potentially safest questions—”What is your library card number?” and “What is your frequent flyer number?”—have only 22% and 9% recall rates, respectively.
  • For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76% while the potentially safer question “What is your first phone number?” had only a 55% success rate.

Multiple Security Questions:

Ok, how about making the account recovery harder, by adding more than one security question? That is a terrible idea. While multiple security questions do decrease the chance of accounts being hacked, they also poses a serious problem. The very thing the account recovery mechanism is used for, “Recovering an account”, becomes harder if the user forgets the answer for one or more questions.

Google recommends its users to run its Security Checkup for their accounts, and that users should use alternate means of authentication to protect their accounts. These include SMS text, secondary email addresses, backup codes.