SAN FRANCISCO – Bad news for security questions–it turns out lots of people love pizza.
You know those annoying security questions you have to answer when you sign up for some online accounts, so you can recover your password if you forget it?
A study by Google researchers found that they aren’t very secure at all.
The problem is that easy-to-remember answers aren’t secure enough, but users can’t remember secure ones, the study found.
Google and computer scientists at Stanford University looked at the distribution of hundreds of million of secret answers. Their paper was presented at the World Wide Web Conference in Florance, Italy this week.
Globally, the most common security questions are far too easy to figure out.
“What’s your favorite food?” doesn’t work for English speakers. A hacker would have a 20% chance of guessing right by simply choosing “pizza.”
Not only that, but people either forget what they like to eat or their tastes change pretty quickly. The success rate for getting the question right when locked out of an account was 74% after a month, 53% after three months and 47% after a year.
Names, especially in places where many people share the same name, don’t work much better.
Given ten guesses, an attacker would have a nearly 24% chance of guessing the name of an Arabic-speaker’s first teacher.
Those same ten guesses would give an attacker a 21% chance of guessing a Spanish-speakers’ father’s middle name.
Surprisingly, questions like “What’s your phone number?” or “What’s your frequent flyer number?” which would seem more secure, turned out to be less safe.
There were two reasons.
First, more than a third of people turned out to give a false answer when asked to set up a security question. The told surveyors they wanted to make them “harder to guess.”
Unfortunately, the numbers they made up tended to be less random than real phone numbers. The researchers found that 4.2% of English-speakers had the “same” frequent flyer number and 0.4% had the same phone numbers–making them easier for would-be attackers to crack.
The other problem was that people forget numbers. Only 55% of people could remember their first phone number and just 9% remembered their frequent flyer number.
Simply asking more secret questions doesn’t help because the more questions you ask, the greater chance the person will forget one of the answers–leaving them still locked out of their account.
In a blog post Thursday, Google said it has switched to using a text message or backup email address as its main account recovery mechanism, with security questions “as a last resort.”
Read or Share this story: http://usat.ly/1HkiI7T