This article is over 10 years old and may contain outdated information.
How many times has this happened to you? The hour is late and you find yourself browsing around the internet. You arrive at a user login page for an online marketplace, letโs say eBay. You remember your username with ease, but, for the life of you, you canโt remember your password. You go through the gamut of security questions like your motherโs maiden name and your first pet and,within minutes, voila, your password is reset and you a free to go about your business and conduct e-commerce. Thank goodness for those security questions, right?
The pair were part of a team of researchers who were among the first to delve into the relatively unexplored world of online security questions. It turns out, according to the results of a research paper commissioned by Google, โโฆsecret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.โ
They found that answers that were easy to remember were, surprisingly, not very secure. Most sites share some very common questions, which make them easy pickings for hackers.
With a single guess, an attacker would have a 19.7% chance of guessing English-speaking usersโ answers to the question โWhat is your favorite food?โ (it was โpizzaโ, by the way)
With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking usersโ answer to the question โWhatโs your first teacherโs name?โ
With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking usersโ answers to the question, โWhat is your fatherโs middle name?โ
With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking usersโ answers to the question โWhat is your city of birth?โ and a 43% chance of guessing their favorite food.
On the other side of the coin, more complicated answers were difficult to remember.
40% of our English-speaking US users couldnโt recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.
Some of the potentially safest questionsโโWhat is your library card number?โ and โWhat is your frequent flyer number?โโhave only 22% and 9% recall rates, respectively.
For English-speaking users in the US the easier question, โWhat is your fatherโs middle name?โ had a success rate of 76% while the potentially safer question โWhat is your first phone number?โ had only a 55% success rate.
What can we do to make ourselves more secure? Google says more security questions may not be the answer because people will either pick easy questions or none at all. The good people at Google suggest that all Google users perform a security check to ensure their system is safe. Other that that, maybe pen and paper are still good for a few things, like keeping usernames and passwords secure and out of a hackerโs reach.
Born and raised in Orange County, I'm Just your average guy with delusions of grandeur. Part time poet and full time geek, my interest run the gamut from video games and sci fi movies to newly emerging tech and various Cons.
