It’s official: we’re terrible at account security. Not only do we use awful passwords, but we can’t even remember the answers to our secret questions.
A new report from Google found that secret questions are the least reliable way to regain entry into your account. Of the millions of account recovery attempts analyzed by the search giant, about 40 percent of people could not recall the answers to their secret questions when necessary.
One reason? People tried to be clever and provide the wrong answers to their questions (Where were you born? Tomato). But then they forgot that wrong answer. Duh.
Questions that are deemed more secure, meanwhile, are often harder to remember, Google found.
“‘Father’s middle name?’ had a success
rate of 76 percent overall whereas the potentially safer question
‘First phone number?’ had a 55 percent recall,” Google said. “The potentially safest questions have abysmal recall: ‘Library card number?’ has a 22 percent recall and ‘Frequent flyer number?’ only has a 9 percent recall rate.”
Your ability to remember an answer also decreases over time. About 74 percent of people could remember the response to “favorite food?” one month after entering it. But that dropped to 53 percent after three months and 47 percent after a year.
Google said it has a much higher success rate with email- or text-based account recovery options. As a result, it avoids secret questions unless they’re used in conjunction with one of those two alternatives.
“Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives,” Google said. “We conclude that it appears next to impossible to find secret questions that are both secure and memorable.”
Not being able to remember your secret question responses is annoying, but Google said the bigger concern is hackers who try to hijack accounts using “mass guessing attacks.” With weak answers, it’s not that difficult: a 2009 report from the Institute of Electrical and Electronics Engineers said that researchers guessed about 10 percent of people’s answers by using common responses.
In an era of openness, meanwhile, where your every move is chronicled online, it’s not hard to find things like place of birth, mother’s maiden name, or high school mascot by trolling a Facebook or Twitter account.
This type of scenario is potentially how hackers gained access to celebrity iCloud accounts last year. “Certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the Internet,” Apple said in a September statement.