Security Questions are the Worst Kind of Password Recovery
Security questions should be easier to remember than passwords… They give you a clue about what you need to remember, which is usually related to your personal life. The idea that they are a safe form of password recovery comes from the logic that you, and only you, would know such intimate details about your life. However, a recent research report from Google suggests that personal information questions used for password recovery are, in fact, pretty terrible at doing their job – both in terms of memorability and security.
Why security questions aren’t the answer
- We aren’t as unique as we think. Common answers pose a real security risk. For example, in just one attempt, a cybercriminal has a 1 in 5 chance of accurately guessing your favorite food. In fact, Google was able to accurately recreate the real answer distribution that people would choose, using an easy and cheap crowdsourcing method of analyzing online user data.
- We don’t like to tell the truth. Even though we’re happy to overshare on Facebook, we seem to have a natural aversion to revealing private details about our life for personal security questions. We either then choose a more general response that becomes easier to guess – like that our favorite food is pizza – or our chance of remembering our answer plummets.
- We have trouble remembering the best answers. The more secure the question, the harder it is to remember the answer. Like passwords, complicated number and letter combinations make for the best answers. The prompt for a library card number only had a 22% recall, and the worst, frequent flyer number had a mere 9% success rate.
- We change our minds. This means that we remember our general choices – like favorite food – less and less over time. Google showed that you will remember your selection for favorite food 74% of the time after a month, 53% after 3 months and, at best, 47% of the time after a year.
Security questions: Threats
There are a lot of security weaknesses in recovery questions that prompt for personal information. But online social sharing of personal details is one of the most serious. Even if you are careful of what you reveal online, the report found that attackers are able to glean details from your friends and family members who may not be so protective.
And it’s not just social media that cybercriminals will turn to. In another 2009 study that Google references, researchers were able to access answers to security questions from 92% of users tested via email phishing. And let’s not forget about publicly available records, like birth and marriage records, which are becoming increasingly digitized and can reveal a whole lot of information that a person might use for security questions.
New and improved account recovery
In the report, Google notes that they prefer SMS via mobile phone or email for account recovery. At SpeedyPassword, we’re using something different – a Recovery Image.
Here’s how our Recovery Image works: We do not store any unencrypted user information on our servers. (Learn more in our video.) To use the Recovery Image, a hash (basically just a string of numbers) is generated and stored on our server as the image’s “key.” When you log in to SpeedyPassword, the actual recovery information is stored on the device you are using. You can only recover your password using a device you have physically logged in on previously. When you then choose the exact Recovery Image, matching the file from your computer or device to the program, the “key” is used to recover your Master Password. This key only works one way – from your computer to our server – meaning that the original data for the image cannot be accessed through our servers. Did we mention this is an image you have uploaded yourself? It can be completely unique to you and the device you store it on.
We do recommend that you securely back up the image so that you can use it in case you forget your Master Password. However, since you only need to remember one password when you use a password manager – it should make things a whole lot easier!
July 30, 2015 / By: Leah