Google: Your Password Security Questions Are Terrible - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Life
01:10 PM

Google: Your Password Security Questions Are Terrible

You might want to think twice about using an easy-to-remember security question for your protected accounts, according to a Google study.

Windows 10 Patch Strategy: IT Dream Or Nightmare?
Windows 10 Patch Strategy: IT Dream Or Nightmare?
(Click image for larger view and slideshow.)

Despite the widespread popularity of security questions as an added layer of password-based security, a study by Google suggests secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

The findings suggest users' answers are either somewhat secure or easy to remember, but rarely both.

With a single guess, an attacker would have a nearly 20% chance of guessing English-speaking users' answers to the question, "What is your favorite food?" That turns out to be pizza, naturally.

(Image: D3Damon/iStockphoto)

(Image: D3Damon/iStockphoto)

"Secret questions have long been a staple of authentication and account recovery online," Elie Bursztein, Google's anti-abuse research lead, and Ilan Caron, a Google software engineer, wrote on the company's Online Security blog. "But, given these findings it's important for users and site owners to think twice about these."

In addition, 40% of Google's English-speaking US users couldn't recall their secret-question answers when they needed to.

These same users, meanwhile, could recall reset codes sent to them through SMS text messages more than 80% of the time and through email nearly 75% of the time.

A user's father's middle name and the city where the user were born are among the most popular security questions on offer, which would give hackers a 6.9% and 14.6% chance to correctly guess the answers within 10 tries.

The problem is a worldwide issue: The study found, for instance, an attacker would have a 39% chance of guessing Korean-speaking users' answers to the question, "What is your city of birth?" and a 43% chance of guessing their favorite food.

Hackers would also have a pretty good chance at figuring out answers in Arabic- and Spanish-speaking countries.

(Image: Google)

(Image: Google)

The convenience of an easy-to-remember answer dilutes the effectiveness of the concept and has found little traction among users.

The report noted that some of the potentially safest questions, such as inputting a library card number or a frequent flyer number, have only 22% and 9% recall rates.

Bursztein and Caron strongly encourage Google users to make sure their Google account recovery information is current, which can be done using the company's Security Checkup feature.

"For years, we've only used security questions for account recovery as a last resort when SMS text or back-up email addresses don't work and we will never use these as stand-alone proof of account ownership," the post noted.

[Read about bots taking over the world.]

Google suggests that site owners should use other methods of authentication, such as backup codes sent through SMS text or secondary email addresses to authenticate their users and help them regain access to their accounts. These methods, it says, are safer and offer a better user experience.

Roughly a year after the discovery of the Heartbleed security bug, which affected more than 500,000 websites and dominated national news for weeks, a survey of 2,000 American adults indicated public awareness and knowledge about online privacy, security, and protection was still below the level at which it should be.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll