Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google.
A white paper [PDF] called “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” dug into the data of millions of users interactions with a range of password-recovering questions and concluded they were not only largely ineffective, but also a security risk.
The idea is a fairly logical one: to let someone access their account if they have forgotten their password, give them a question that is likely to be specific to an individual and use their answer to verify who they are.
The problem? We can’t remember the answer most of the time, or we actually purposefully lie to ourselves and give the wrong answer in the belief that it will make the system more secure (not realizing of course that we will forget the fake answer all too quickly).
Another gems from the paper: what we believe is our favorite food at any given time changes so what you typed in when you set up the password recovery question is likely to have changed by the time you need to use it. If asked within a month, you are 74 per cent likely to remember it; if asked three months later it’s a fifty-fifty proposition that you’ll recall the favored dish.
So what’s the best question to remember? City of birth, according to the Googlers, with an overall 80.1 per cent success rate. Second best is our father’s middle name.
But the researchers point out that these questions – and many others – are inherently insecure since it is often possible for third parties to find out that information if they have your name. As for the hardest thing to recall – that’s your frequent flyer number (seriously, who memorizes their frequent flyer number?).
Basically, the more secure the question, the less likely we are to recall it.
There are also some interesting statistics on how easy it may be simply to guess people’s answers. For example, with just 10 guesses it is possible to correctly guess 39 per cent of a Korea-speakers’ city of birth question, since there aren’t that many big cities in Korea.
Similarly, you have a four per cent chance of getting the middle name of a Spanish speaker’s father right the first time.
So what’s the upshot of having reviewed millions of secret questions and answers? Two things: one, as a species, we humans remain pretty stupid while simultaneously believing ourselves to be very clever. And two, it’s best to use SMS or email recovery for passwords.
“Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives,” the paper concludes. ®