Google Reveals That Security Questions Aren't Reliable

When most websites want to help you remember your password, they ask you to answer a number of preset security questions. Some of these are as simple as "What was your first pet?" or "What's your father's father's middle name?"

But are they an effective method for protecting a user's security?

That's what Google wanted to find out. So they launched a comprehensive study to determine how effective security questions were when compared to newer security methods, such as two-step verification or SMS passwords. The results were not pretty. "Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords." Google's abstract reads, "It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate."

Google believes that this security failure is due partly because hackers can just guess the answers if needed and partly because people create fake answers.

"An attacker has an almost 20% chance of guessing an English speaker's answer to "What is your favorite food?" in a single try." reports Slashgear, "The problem extends beyond English as well. An attacker has an almost 40% chance of guessing a Korean speaker's answer to "What is your city of birth?" or their favorite food, within ten tries.

So what does Google suggest users and sites do to improve security?

First, users need to stop using fake answers. Google conducted a user survey during the study, asking users to reveal whether they had faked their answers. According to Google, "a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them 'harder to guess.' On aggregate, however, the behavior resulted in the opposite effect – they were easier to guess because people " 'harden' their answers in a predictable way," sayd Google.

Second, Google recommends that sites employ more than one security question. Sites employing multiple security questions are less likely to be hacked than sites relying on just one.

You can read Google's full study here.

Tags
Technology, Security, Google, Study, Survey
Real Time Analytics