Security Questions Not So Secure

The Internet knows a lot about you, including your mother’s maiden name, your favorite food, and what street your first pet grew up on. And, according to some new research from Google, attackers have a good chance of figuring those things out pretty easily, too.

The security questions that Google and other companies ask users as part of account-recovery operations are seen by both security experts and users as more of an annoyance than a safeguard. Some of the information in the answers to these questions is relatively easy to find, through social media profiles and other places. And some of it is fairly easy to guess.

Google researchers put together a new paper that illustrates just how easy this process is for attackers, and by extension, the limited value of security questions. For example, Google found that with just one attempt an attacker could guess an English-speaking user’s favorite food 19.7 percent of the time. Within 10 attempts an attacker would have a 43 percent chance of guessing a Korean-speaking user’s favorite food.

Google’s research is based on hundreds of millions of security questions answered by users during the course of millions of account-recovery attempts, and what the researchers found is that questions with easy-to-remember answers aren’t secure and questions with difficult-to-remember answers aren’t useful. The company also discovered that some tactics users employ to make their answers more difficult for attackers to guess aren’t effective.

“Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as ‘What’s your phone number?’ or ‘What’s your frequent flyer number?’. We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in,” Elie Bursztein, Google’s Anti-Abuse Research Lead, and Ilan Caron, software engineer, wrote in an analysis of the data the research produced.

The company’s research also revealed that 40 percent of English-speaking users couldn’t remember their secret question’s answer when they needed to. People aren’t great at this kind of thing, and adding more complexity to the process only makes things worse.

“According to our data, the ‘easiest’ question and answer is ‘What city were you born in?’—users recall this answer more than 79% of the time. The second easiest example is ‘What is your father’s middle name?’, remembered by users 74% of the time. If an attacker had ten guesses, they’d have a 6.9% and 14.6% chance of guessing correct answers for these questions, respectively,” the Google analysis says.

“But, when users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark. The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result.”

Some Web services are moving to the use of one-time codes sent via text as a part of the account-recovery process, which is a smoother and easier method.

Suggested articles

Discussion

  • tipastar on

    "Some web services are moving to the use of one-time codes sent via text..." That's great to know once your phone is stolen. And that's just a delivery mechanism. It doesn't validate a person. People need to just commit their favorite PIN to memory. 5 digits...easy breezy.
  • Richard on

    5 digit PIN will work. But only if you don't use the same PIN for more than one service - otherwise the breach of one service (either by attacking the service, or by a MIM attack on your login) will compromise all the others. Also, using the same PIN on more services, allow attackers more guesses across those services. But for most users, there will be no more than say 100 services. 100 PIN's times 5 digist. Easy breezy, just like remembering PI to 500 digits. Many ppl. can do that - well at least some.
    • Tipastar on

      "100 services"... If you have 100 services that serve up critical information to your well being...PII data, HIPAA, Tax, Financial, etc....then you could probably hire someone to remember a PIN for you. You protect the critical and most sensitive stuff. The point is, I agree questions are redonkulous. PIN numbers are not your passwords. Most attacks seek out your password. Your PIN is the one thing you know that validates who you are...like a question. The difference is that you can't socially engineer a PIN as easily as your Mom's maiden name. The key is, the delivery of your password reset after verifying your PIN, goes to a location (cell phone or mailbox) that does not have the same PIN. So even if you stole someone's PIN for all 100 services, it would serve useless in the entire transaction if you can't get to the reset link. One PIN....still easy!!!
  • Justin Spratt on

    The solution to mitigate against these terrible "security questions" is simple even if it isn't obvious to most people: use a bunch of randomly generated characters and store your answers in a password management solution with 2- or 3-factor auth. Store those answers like this: What is your mother's maiden name? X7d-)*8d11d!!Bq%@>?/[Aa When you forget your password (which you won't because it's also stored in your vault), the recovery is dead simple: just copy and paste your secret answer. Tipstar: the reset link is often something like example.com/reset so that people who lose access to their email can still reset their password. Using one single pin is security madness.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.