Google has lifted the lid on why “secret” password recovery questions – even their own – are not only ineffective, but jeopardizing your security
What is your frequent flyer number? And what was your favorite food seven years ago? If you’re finding it difficult to remember, that is one of the problems identified by new research by Google into one of the internet’s most antiquated curiosities – the secret, personal questions posed by thousands of websites that allow people to recover their password.
The white paper – called “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” – analyzed the hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. But the conclusion was surprisingly brutal: this entire security method, including Google’s own system, is not only largely ineffective, but also a security risk. And here are seven of the reasons why…
- Easy answers aren’t secure
According to research, the easiest question to remember is your city of birth – with an overall 80.1 per cent success rate – with your father’s middle name coming second. But if it’s easy to remember an answer, it usually means it’s easy for someone else to guess. This is because the answers often contain commonly known information, or data available publicly on, for example, Facebook. Indeed, this flaw was blamed for the 2014 leak of thousands of private images of celebrities – when Apple admitted that iCloud accounts could be reset with two security answers that were easily discoverable online.
- Difficult answers aren’t usable
Again, it’s no surprise that more difficult questions – while harder for an attacker to guess – are more difficult for users to remember too, making them similarly impractical. Google highlighted two of the potentially safest questions: “What is your library card number?” and “What is your frequent flyer number?”. But these only had 22% and 9% recall rates, respectively. And our memories aren’t great to begin with: Google found that 40% of their English-speaking US users couldn’t recall ANY of their secret question answers when required.
- We lie to ourselves
More specifically, research showed we purposefully give the wrong answer, in the belief that it will make the system more secure – and then forget the fake answer all too quickly. For example, Google found that 37% of people intentionally provide false answers to questions such as “What’s your phone number?” or “What’s your frequent flyer number?” – thinking this will make them harder to guess. However, as they often chose the same false answers, it actually increased the likelihood that an attacker could break in.
- Your answer can change
Simple human nature: when giving an answer that’s less a fact and more an opinion, that opinion is likely change. For example: the question “What is your favourite food?” – the answer may change from when you set up the password recovery question to when you need to use it. If asked within a month, you are 74 per cent likely to remember it; if asked three months later it’s a 50/50 proposition that you’ll recall it.
- Everyone likes the same thing
Another problem with qualitative answers where you offer an opinion: everyone has the same tastes. So with the question “What is your favourite food?”, research found that an attacker would have a 19.7% chance of guessing the most popular English-speaking user’s answer – ‘pizza’. While with ten guesses, an attacker would have a 43% chance of guessing Korean-speaking users’ favourite food.
- Security differs from country to country
Cultural differences can alter the level of security certain questions offer too, simply because they create a smaller set of possible answers. Take the question “What’s your first teacher’s name?”, for example – research found that, with ten guesses, an attacker would have a nearly 24% chance of guessing an Arabic-speaking user’s answer. With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, “What is your father’s middle name?” And with Korean-speaking users, an attacker would only need ten guesses to stand a 39% chance of guessing the city of their birth – simply because since there aren’t that many big cities in Korea.
- Adding more questions doesn’t help
So if the answers are too easy to guess, just add more questions, right? Wrong: while two questions, for example, make it more difficult for hackers, the chances that people can recover their accounts also drops significantly. Google never actually asks multiple security questions, but combined the data for two of the easiest questions: “What city were you born in?” and “What is your father’s middle name?”. The probability that an attacker could get both answers in ten guesses is 1%. But research also revealed that users will recall both answers only 59% of the time.
Google’s own data shows that the secret answers are either secure or easy to remember – but never both. And piling on more secret questions simply adds difficulty for users, making it an impractical solution. Instead? Google’s policy has already changed to never use security questions as stand-alone proof of account ownership. But they recommend: “In parallel, site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses.” Or, of course, you could always just use a password manager to do all that remembering for you….