How many times has this happened to you? The hour is late and you find yourself browsing around the internet. You arrive at a user login page for an online marketplace, let’s say eBay. You remember your username with ease, but, for the life of you, you can’t remember your password. You go through the gamut of security questions like your mother’s maiden name and your first pet and,within minutes, voila, your password is reset and you a free to go about your business and conduct e-commerce. Thank goodness for those security questions, right?
Wrong. At least according to Elie Bursztein and Ilan Caron at Google’s Online Security Blog.
The pair were part of a team of researchers who were among the first to delve into the relatively unexplored world of online security questions. It turns out, according to the results of a research paper commissioned by Google, “…secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.”
They found that answers that were easy to remember were, surprisingly, not very secure. Most sites share some very common questions, which make them easy pickings for hackers.
With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question “What is your favorite food?” (it was ‘pizza’, by the way)
With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question “What’s your first teacher’s name?”
With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, “What is your father’s middle name?”
With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question “What is your city of birth?” and a 43% chance of guessing their favorite food.
On the other side of the coin, more complicated answers were difficult to remember.
40% of our English-speaking US users couldn’t recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.
Some of the potentially safest questions—“What is your library card number?” and “What is your frequent flyer number?”—have only 22% and 9% recall rates, respectively.
For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76% while the potentially safer question “What is your first phone number?” had only a 55% success rate.
What can we do to make ourselves more secure? Google says more security questions may not be the answer because people will either pick easy questions or none at all. The good people at Google suggest that all Google users perform a security check to ensure their system is safe. Other that that, maybe pen and paper are still good for a few things, like keeping usernames and passwords secure and out of a hacker’s reach.