Using “secret questions” to reset passwords can offer higher security — so much that people have a hard time recalling answers to get into their own accounts.
That’s the conclusion reached by researchers at Google
, who have released a white paper detailing how 40% of English-speaking U.S. users failed to remember answers to their own security questions when attempting to access their accounts. The report studied hundreds of millions of secret answers and millions of account recovery claims and found that while secret questions may sound like a solid security practice, in reality, the answers are too guessable or too hard to remember at all.
Many websites ask users personal knowledge questions, like for their city of birth or what preschool they attended, as part of the password recall process. These questions often have common answers and are poor shields against hackers. For example, the study showed that hackers have a 20% success rate at guessing English-speaking users’ favorite foods, and can determine 39% of Korean-speaking users’ cities of birth in just 10 guesses.
Cycling from San Francisco to Los Angeles
WSJ reporter Rory Jones shares his experience cycling more than 500 miles along California State Route 1, from San Francisco to Los Angeles.
What’s more, an answer can change over time — particularly in cases where someone is asked what his or her favorite food is. People also admitted that they made up fake answers to questions in hopes of making the phrases harder to guess.
“The potentially safest questions have abysmal recall,” the report said, citing library card and frequent flyer numbers, which had 22% and 9% recall rates, respectively.