Security Questions are the Worst Kind of Password Recovery
Security questions should be easier to remember than passwords… They give you a clue about what you need to remember, which is usually related to your personal life. The idea that they are a safe form of password recovery comes from the logic that you, and only you, would know such intimate details about your life. However, a recent research report from Google suggests that personal information questions used for password recovery are, in fact, pretty terrible at doing their job – both in terms of memorability and security.
Why security questions aren’t the answer
- We aren’t as unique as we think. Common answers pose a real security risk. For example, in just one attempt, a cybercriminal has a 1 in 5 chance of accurately guessing your favorite food. In fact, Google was able to accurately recreate the real answer distribution that people would choose, using an easy and cheap crowdsourcing method of analyzing online user data.
- We don’t like to tell the truth. Even though we’re happy to overshare on Facebook, we seem to have a natural aversion to revealing private details about our life for personal security questions. We either then choose a more general response that becomes easier to guess – like that our favorite food is pizza – or our chance of remembering our answer plummets.
- We have trouble remembering the best answers. The more secure the question, the harder it is to remember the answer. Like passwords, complicated number and letter combinations make for the best answers. The prompt for a library card number only had a 22% recall, and the worst, frequent flyer number had a mere 9% success rate.
- We change our minds. This means that we remember our general choices – like favorite food – less and less over time. Google showed that you will remember your selection for favorite food 74% of the time after a month, 53% after 3 months and, at best, 47% of the time after a year.
Security questions: Threats
There are a lot of security weaknesses in recovery questions that prompt for personal information. But online social sharing of personal details is one of the most serious. Even if you are careful of what you reveal online, the report found that attackers are able to glean details from your friends and family members who may not be so protective.
And it’s not just social media that cybercriminals will turn to. In another 2009 study that Google references, researchers were able to access answers to security questions from 92% of users tested via email phishing. And let’s not forget about publicly available records, like birth and marriage records, which are becoming increasingly digitized and can reveal a whole lot of information that a person might use for security questions.
Secure account recovery
In the research report, Google notes that they prefer SMS via mobile phone or email for account recovery. It is much more secure to recover your accounts this way, especially in an age when everyone’s mobile phone is close at hand.
July 30, 2015 / By: Leah