Google: Your Password Security Questions Are Terrible - InformationWeek
IoT
IoT
IT Life
News
5/22/2015
01:10 PM
50%
50%

Google: Your Password Security Questions Are Terrible

You might want to think twice about using an easy-to-remember security question for your protected accounts, according to a Google study.

Windows 10 Patch Strategy: IT Dream Or Nightmare?
Windows 10 Patch Strategy: IT Dream Or Nightmare?
(Click image for larger view and slideshow.)

Despite the widespread popularity of security questions as an added layer of password-based security, a study by Google suggests secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

The findings suggest users' answers are either somewhat secure or easy to remember, but rarely both.

With a single guess, an attacker would have a nearly 20% chance of guessing English-speaking users' answers to the question, "What is your favorite food?" That turns out to be pizza, naturally.

(Image: D3Damon/iStockphoto)

(Image: D3Damon/iStockphoto)

"Secret questions have long been a staple of authentication and account recovery online," Elie Bursztein, Google's anti-abuse research lead, and Ilan Caron, a Google software engineer, wrote on the company's Online Security blog. "But, given these findings it's important for users and site owners to think twice about these."

In addition, 40% of Google's English-speaking US users couldn't recall their secret-question answers when they needed to.

These same users, meanwhile, could recall reset codes sent to them through SMS text messages more than 80% of the time and through email nearly 75% of the time.

A user's father's middle name and the city where the user were born are among the most popular security questions on offer, which would give hackers a 6.9% and 14.6% chance to correctly guess the answers within 10 tries.

The problem is a worldwide issue: The study found, for instance, an attacker would have a 39% chance of guessing Korean-speaking users' answers to the question, "What is your city of birth?" and a 43% chance of guessing their favorite food.

Hackers would also have a pretty good chance at figuring out answers in Arabic- and Spanish-speaking countries.

(Image: Google)

(Image: Google)

The convenience of an easy-to-remember answer dilutes the effectiveness of the concept and has found little traction among users.

The report noted that some of the potentially safest questions, such as inputting a library card number or a frequent flyer number, have only 22% and 9% recall rates.

Bursztein and Caron strongly encourage Google users to make sure their Google account recovery information is current, which can be done using the company's Security Checkup feature.

"For years, we've only used security questions for account recovery as a last resort when SMS text or back-up email addresses don't work and we will never use these as stand-alone proof of account ownership," the post noted.

[Read about bots taking over the world.]

Google suggests that site owners should use other methods of authentication, such as backup codes sent through SMS text or secondary email addresses to authenticate their users and help them regain access to their accounts. These methods, it says, are safer and offer a better user experience.

Roughly a year after the discovery of the Heartbleed security bug, which affected more than 500,000 websites and dominated national news for weeks, a survey of 2,000 American adults indicated public awareness and knowledge about online privacy, security, and protection was still below the level at which it should be.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
mak63
50%
50%
mak63,
User Rank: Ninja
6/1/2015 | 6:44:12 PM
Re: The smarts with the user have to be
@yalanand
You beat me to it. If people invent any answer they want, how are they gonna remember it?
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
5/31/2015 | 2:25:13 PM
Re: The smarts with the user have to be
@yalanand: Right you are. People wouldn't want to complicate things with complicated passwords. What we need is identity management. 
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/29/2015 | 1:55:37 AM
Re: This can still work
Tell him... two words... password manager!
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
5/28/2015 | 11:38:46 PM
Re: This can still work
This sounds like the plot to a science fiction movie or fantasy movie where a ghost or someone in the future tells a liaison some secret detail about another person --- something no one else would know but them --- in order to earn their trust. (Didn't that happen in the movie Ghost?) Anyway, there's got to be facts about a person that no one else would know but them ... it may take personalized questions with more than one-word responses, but it's gotta be possible.
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
5/28/2015 | 4:23:21 PM
Re: This can still work
I have a colleague who cannot remember his gmail password or the obscure answers to the security questions he created.  Lucky for him his ipad automatically logs him in so he can read his mail from there.  Otherwise he's locked out.  Gmail has told him he's basically out of luck.  This is what happens sometimes when you try to outsmart everyone - including yourself.  It's a very interesting dynamic.
tzubair
50%
50%
tzubair,
User Rank: Ninja
5/25/2015 | 5:41:19 PM
Re: This can still work
" However, if someone wants to get into YOUR stuff, this is about the most crazy protection method around, as most of the questions are stuff the attacker could easily figure out."

@stevew928: I agree. Most of the times the attackers are launching general targets because they often have no fixed information about which account is the most and the least secure in the network. However, once an individual system is compromised, essentially the whole network becomes vulnerable.
jastroff
50%
50%
jastroff,
User Rank: Ninja
5/25/2015 | 12:52:59 PM
Re: Worst ever... insecure BY DESIGN!
I never thought of using my pw manager for this purpose, but you do have a point

>>  That said, you can actually make them pretty sucure if you just ignore what they are and make up your own rules. Just pick one of the questions and have your *password manager* (You're using one of those, right?) fill in some random text as the answer.

 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/25/2015 | 7:53:43 AM
Agreed
My bank actually uses one of the securiy questions mentioned in this piece. I keep waiting for them to put something more complicated in there but nope, still going strong years later. Fortunately I lie on mine with something nonsensical to make it a bit harder at least. 
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 1:56:15 PM
Re: This can still work
That's why I said 'targeted' attack. Yes, most attempts to steal data are just looking for weak points, using automations, etc. ie: going after no-one in particular. However, if someone wants to get into YOUR stuff, this is about the most crazy protection method around, as most of the questions are stuff the attacker could easily figure out.
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:44:02 PM
Re: The smarts with the user have to be
@pabbott: well its pretty basic that most people use the correct answer because that is what they can remember. KingOfSouthAmerica is something you won't remember half the time. 
Page 1 / 2   >   >>
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
News
Enterprises to Bump Up IT Spending in 2019
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/12/2018
News
AIOps to Drive Big IT Pivot
Jessica Davis, Senior Editor, Enterprise Apps,  9/11/2018
Commentary
AWS vs. Azure: Users Share Their Experiences
Guest Commentary, Guest Commentary,  9/7/2018
Register for InformationWeek Newsletters
Video
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll