Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | The Best Holiday Gifts | Best Fitness Trackers Under $50 | Complete Guide to Facebook Privacy

Top News Stories

author photo

Google: Security Questions Aren't Especially Secure

by on May 22, 2015
in Computer Safety & Support, News, Computers and Software, Blog :: 1 comment

Authentication Failed warningWhen setting up a new online account, you’re typically asked to answer a few secret security questions to better secure your account. That way, if you misplace your password, you have a second way to prove your identity by answering a question about your favorite meal or by entering your mother’s maiden name. This means many accounts can be reset knowing simple facts about your life – facts that are easy for some criminals to research online.

But don’t just take my word for it – a new research paper written and presented by Google’s Elie Bursztein and Ilan Caron shows just how unsecure these security questions can be. They looked through hundreds of millions of secret questions and the answers that had been used, and then calculated the likelihood that a hacker could guess the answer. Their conclusion: “Secret questions are neither secure nor reliable enough to be used as a stand alone account recovery mechanism. That’s because they both suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember – but rarely both.”

To illustrate the point, the researchers highlighted a couple of common security questions, and the common answers given for them. They found that a hacker has a 19.7 percent chance of guessing your favorite food is “pizza,” for example. Other questions are easy to answer knowing the ethnicity of the account holder: An attacker has a 43 percent chance of guessing a Korean speaker’s favorite food, and a 21 percent chance of guessing a Spanish speaker’s father’s middle name (both within 10 tries).

Further, the researchers pointed out that some of the most secure questions available are the ones that have the worst recall rates. Very few criminals will be able to guess your library card or frequent flyer numbers, but are successfully recalled by only 22 percent and 9 percent of those who try to reset their accounts. By comparison, 55 percent of people were able to recall their first phone number, and 76 percent could successfully recall their father’s middle name.

Here at Techlicious, we like recommending that you lie when setting up your password security questions to help protect against research-based attacks. According to Bursztein and Caron’s research, 37 percent of people currently do this. They do warn to be careful with the tactic, however: Many people wind up choosing the same false answers, making it easier for crooks to guess their way in.

Want to read more about account security? Check out the 10 worst password ideas as revealed by Google, then check out our tips for creating a strong password. You might also want to consider a password vault program like Dashlane or LastPass that remembers complex-but-secure passwords for you.

[Authentication failed via Shutterstock]



Discussion loading

gravatar

Google's Current Password Recovery Sucks!

From MNwinterCritter on June 01, 2015 :: 8:11 pm

Eons ago when google first hit the internet I got an account. I have had it so long my username didn’t require any numbers. When I first created my account there were no security questions and I never came across a requirement for existing users to create them. Now if you didn’t give big brother your cell phone you have to answer five pages of questions like the exact date over 10 years ago I created the account, the last five people to email me and other questions that are not relevant to me and how I use the account.

My bad for letting my google wallet and my browser save the password cause when i needed it for my newest tablet I muffed the log on. Now I can’t access applications I have purchased and are in my google wallet. I can’t get at my google docs so my chromebook has become an encore.

By the way it can see my correct alternate email in my reset request but they have greyed out the option to select having a reset email sent to the alternate account I have set up.

How can a company that requires a gmail account and password for it’s google play not support a password reset. That’s how google play lost me to Amazon. At least they support their products.

Reply

© 2015 Techlicious LLC. Home | About | Meet the Team | Sponsorship Opportunities | Newsletter Archive | Contact Us | Terms of Use | Privacy Policy

site design: Juxtaprose