Those secret security answers may not be so secure
Most people think those annoying online security questions that ask for your mother's maiden name or the name of your first pet at least offer an extra layer of security. Think again.
Researchers analyzed hundreds of millions of secret questions and answers that had been used for account recovery claims at Google. They then measured the likelihood that hackers could guess the answers.
In a paper presented at the WWW2015 World Wide Web conference, the researchers from Google and Stanford University found most security questions are not all that secure.
"Our findings ... led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism," Elie Bursztein and Ilan Caron, both Google researchers and co-authors on the paper, wrote in a blog post.
"That's because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember -- but rarely both," they wrote.
The study found many security questions either have common answers, have answers that could easily be found in online social network profiles, or feature a question -- like "Who is your favorite superhero?" -- with too few possible answers.
The end result is that it isn't too hard for a hacker to guess our answers. Examples given in the paper include:
- With a single guess, an attacker would have a 19.7 percent chance of guessing English-speaking users' answer to the question, "What is your favorite food?" (It's "pizza," by the way) .
- With 10 guesses, an attacker would have a nearly 24 percent chance of guessing Arabic-speaking users' answer to the question, "What's your first teacher's name?"
- With 10 guesses, an attacker would have a 21 percent chance of guessing Spanish-speaking users' answers to the question, "What is your father's middle name?"
- With 10 guesses, an attacker would have a 39 percent chance of guessing Korean-speaking users' answers to the question, "What is your city of birth?" and a 43 percent chance of guessing their favorite food.
But making the questions harder to answer also poses problems.
The study found that users often can't remember the answers to their questions -- 40 percent of English-speaking users draw a blank. Making the questions and answers more obscure would likely mean even more people would forget them.
A question that was easier to remember, such as "What is your father's middle name?" had a recall rate of 76 percent, compared to a harder one like "What was your first phone number?" which was remembered only 55 percent of the time. Even more challenging was "What is your frequent flyer number?" with the dismal recall rate of 9 percent.
"Comparing question strength and memorability reveals that the questions that are potentially the most secure (e.g. what is your first phone number) are also the ones with the worst memorability," the researchers wrote. "We conclude that it appears next to impossible to find secret questions that are both secure and memorable."
Another potential solution -- adding another secret question -- also has its drawbacks. The researchers found that recollection rates drop significantly with the additional question.
According to the data, two of the easiest questions for users to remember were "What city were you born in?" and "What is your father's middle name?" with three-quarters or more recalling them correctly. If an attacker had 10 guesses, they'd have a 6.9 percent and 14.6 percent chance of guessing correct answers for these questions, respectively. Taken together, the chances of an attacker getting both answers correct was reduced to just 1 percent. But that also made it more difficult for users, who only recalled both answers 59 percent of the time.
In the end, the researchers said their findings serve to reinforce the idea that secret questions should never be used alone and that other methods might be a better option to keep accounts safe.
"Site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts," the researchers wrote. "These are both safer, and offer a better user experience."