When setting up a new online account, you’re typically asked to answer a few secret security questions to better secure your account. That way, if you misplace your password, you have a second way to prove your identity by answering a question about your favorite meal or by entering your mother’s maiden name. This means many accounts can be reset knowing simple facts about your life – facts that are easy for some criminals to research online.
But don’t just take my word for it – a new research paper written and presented by Google’s Elie Bursztein and Ilan Caron shows just how unsecure these security questions can be. They looked through hundreds of millions of secret questions and the answers that had been used, and then calculated the likelihood that a hacker could guess the answer. Their conclusion: “Secret questions are neither secure nor reliable enough to be used as a stand alone account recovery mechanism. That’s because they both suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember – but rarely both.”
To illustrate the point, the researchers highlighted a couple of common security questions, and the common answers given for them. They found that a hacker has a 19.7 percent chance of guessing your favorite food is “pizza,” for example. Other questions are easy to answer knowing the ethnicity of the account holder: An attacker has a 43 percent chance of guessing a Korean speaker’s favorite food, and a 21 percent chance of guessing a Spanish speaker’s father’s middle name (both within 10 tries).
Further, the researchers pointed out that some of the most secure questions available are the ones that have the worst recall rates. Very few criminals will be able to guess your library card or frequent flyer numbers, but are successfully recalled by only 22 percent and 9 percent of those who try to reset their accounts. By comparison, 55 percent of people were able to recall their first phone number, and 76 percent could successfully recall their father’s middle name.
Here at Techlicious, we like recommending that you lie when setting up your password security questions to help protect against research-based attacks. According to Bursztein and Caron’s research, 37 percent of people currently do this. They do warn to be careful with the tactic, however: Many people wind up choosing the same false answers, making it easier for crooks to guess their way in.
Want to read more about account security? Check out the 10 worst password ideas as revealed by Google, then check out our tips for creating a strong password. You might also want to consider a password vault program like Dashlane or LastPass that remembers complex-but-secure passwords for you.
[Authentication failed via Shutterstock]