Who’s your favorite superhero?
No matter which name you choose, bad guys have a decent shot at correctly guessing it due to the limited number of possible answers, according to a new study.
That fact illustrates a major problem with the security questions often used by online services to help users recover passwords: The answers to such questions are either memorable or secure, but rarely both.
The study — titled “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” — was recently presented at the 24th International World Wide Web Conference.
It was authored by four Google researchers and Joseph Bonneau, a researcher at Stanford University’s Applied Crypto Group and a technology fellow at the nonprofit Electronic Frontier Foundation.
The study is based on the use of security questions at Google. Google anti-abuse researcher Elie Bursztein and Google software engineer Ilan Caron, two of the report authors, explain in a Google’s Online Security Blog:
Despite the prevalence of security questions, their safety and effectiveness have rarely been studied in depth… We analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.
The core problem with security questions, Bursztein and Caron write, is that they are rarely both secure and easy to remember.
Past studies cited by Google have found weaknesses in questions with:
- Common answers. One study found that about 10 percent of answers could be guessed using a list of other answers provided by users in the same study.
- Few plausible answers. Asking for your favorite superhero is one example.
- Publicly available answers. Such answers are routinely listed publicly in online social-networking profiles or public records. For example, one study found that at least 30 percent of Texas residents’ mothers’ maiden names can be deduced from birth and marriage records.
- Answers that can be obtained through email phishing. In one study, researchers used email phishing to learn answers to personal-knowledge questions from 92 percent of users.
- Answers that acquaintances can easily guess. One laboratory study found that acquaintances could correctly guess 17 percent of answers correctly within less than a half-dozen attempts.
How can companies ask questions that are both more secure and easier for consumers to remember? The Google reseachers don’t offer a lot of hope.
They note that the most potentially secure questions are also those with the worst memorability — for example asking for your first-ever phone number.
They sum up their findings as follows:
We conclude that it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue to have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.
SMS-based password recovery and emailed-based recovery are examples of alternatives that are better than security questions, according to the researchers.
If you have trouble remembering your passwords, check out “5 Password Managers To Keep All Your Secrets Safe.”
Like this story? SHARE it on Facebook!