Google: Your Password Security Questions Are Terrible - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Life
News
5/22/2015
01:10 PM
50%
50%

Google: Your Password Security Questions Are Terrible

You might want to think twice about using an easy-to-remember security question for your protected accounts, according to a Google study.

Windows 10 Patch Strategy: IT Dream Or Nightmare?
Windows 10 Patch Strategy: IT Dream Or Nightmare?
(Click image for larger view and slideshow.)

Despite the widespread popularity of security questions as an added layer of password-based security, a study by Google suggests secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

The findings suggest users' answers are either somewhat secure or easy to remember, but rarely both.

With a single guess, an attacker would have a nearly 20% chance of guessing English-speaking users' answers to the question, "What is your favorite food?" That turns out to be pizza, naturally.

(Image: D3Damon/iStockphoto)

(Image: D3Damon/iStockphoto)

"Secret questions have long been a staple of authentication and account recovery online," Elie Bursztein, Google's anti-abuse research lead, and Ilan Caron, a Google software engineer, wrote on the company's Online Security blog. "But, given these findings it's important for users and site owners to think twice about these."

In addition, 40% of Google's English-speaking US users couldn't recall their secret-question answers when they needed to.

These same users, meanwhile, could recall reset codes sent to them through SMS text messages more than 80% of the time and through email nearly 75% of the time.

A user's father's middle name and the city where the user were born are among the most popular security questions on offer, which would give hackers a 6.9% and 14.6% chance to correctly guess the answers within 10 tries.

The problem is a worldwide issue: The study found, for instance, an attacker would have a 39% chance of guessing Korean-speaking users' answers to the question, "What is your city of birth?" and a 43% chance of guessing their favorite food.

Hackers would also have a pretty good chance at figuring out answers in Arabic- and Spanish-speaking countries.

(Image: Google)

(Image: Google)

The convenience of an easy-to-remember answer dilutes the effectiveness of the concept and has found little traction among users.

The report noted that some of the potentially safest questions, such as inputting a library card number or a frequent flyer number, have only 22% and 9% recall rates.

Bursztein and Caron strongly encourage Google users to make sure their Google account recovery information is current, which can be done using the company's Security Checkup feature.

"For years, we've only used security questions for account recovery as a last resort when SMS text or back-up email addresses don't work and we will never use these as stand-alone proof of account ownership," the post noted.

[Read about bots taking over the world.]

Google suggests that site owners should use other methods of authentication, such as backup codes sent through SMS text or secondary email addresses to authenticate their users and help them regain access to their accounts. These methods, it says, are safer and offer a better user experience.

Roughly a year after the discovery of the Heartbleed security bug, which affected more than 500,000 websites and dominated national news for weeks, a survey of 2,000 American adults indicated public awareness and knowledge about online privacy, security, and protection was still below the level at which it should be.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
5/22/2015 | 3:28:12 PM
Balancing security and memory
Sadly this is a great example of why even though online services try to make things secure by using a security question as a form of secondary authentication, it's never going to be safe enough.  And while I like the idea of using more random knowledge, such as a library card number or frequent flier mile number, anything that doesn't use alphanumeric answers will still find risks like current methods today.

Personally, I like when sites use a combination of "here's an image you designated" plus random text that you enter as a form of secondary authentication, but as bots get smarter, even those might see increased risks.

So is the solution to just overhaul the password methodology and look at new ways of authentication which will hopefully reduce the number of password resets that seem to increase at the same rate of the complexity requirements?
TimC216
50%
50%
TimC216,
User Rank: Apprentice
5/22/2015 | 3:32:23 PM
Re: Balancing security and memory
My solution to security questions was to always answer them with answers that I would remember but that have nothing to do with the question...
JustinK779
50%
50%
JustinK779,
User Rank: Apprentice
5/22/2015 | 4:27:29 PM
MFAshould be required at this point
Been saying it for years now:  ever since as a society we started buying more cell-phones than computers we have been in a prime position to require MFA authentication.  There's abosultely NO reason not to do this now with a soft token or text request so accessing a webpage is a combination of what you know and what you have.  Suddenly individual identity theft is basically stopped cold and the only exploits you have to worry about are those where they manage to fundementally hack the hosting system.

Seriously:  if you are n't using MFA on at least your primary e-mail address you are asking for it.  Your e-mail is like the keys to the world (everyone lets you reset passwords using that).
pabbott782
50%
50%
pabbott782,
User Rank: Apprentice
5/23/2015 | 9:11:24 AM
The smarts with the user have to be
Who said the answer has to be right? Does Google check whatever you enter to make sure you're being honest? Of course not. Favourite food? Elephant-ear-on-a-bun, obviously. MOther's maiden name? TheBolivianNavyOnTheHeadOfAPin. what brings success initially? WBSI? WIth care your question can contain the answer. but I never put in the "right" answer. Unless I do.
stevew928
100%
0%
stevew928,
User Rank: Ninja
5/23/2015 | 11:35:20 AM
Re: The smarts with the user have to be
Exactly, using the correct answer is part of what makes it insecure. While this article is focused on guessing (which is bad enough), with a bit of research, the security could be lowered even farther for users who use this method *as intended*.
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:44:02 PM
Re: The smarts with the user have to be
@pabbott: well its pretty basic that most people use the correct answer because that is what they can remember. KingOfSouthAmerica is something you won't remember half the time. 
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
5/31/2015 | 2:25:13 PM
Re: The smarts with the user have to be
@yalanand: Right you are. People wouldn't want to complicate things with complicated passwords. What we need is identity management. 
mak63
50%
50%
mak63,
User Rank: Ninja
6/1/2015 | 6:44:12 PM
Re: The smarts with the user have to be
@yalanand
You beat me to it. If people invent any answer they want, how are they gonna remember it?
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
5/23/2015 | 10:14:31 AM
This can still work
The key here is that the user needs to provide both the question and the answer. Yes, the user can still pick the question "What is my favorite food?" with the answer "Pizza". Hackers do not know if that question is asked and what the answer is. Of course, when requesting the additional information the user has to provide both the question and the answer.
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 11:38:04 AM
Re: This can still work
Many of them don't allow people to make up their own question. But even still, if you're making up real questions with real answers, it leaves you vulnerable to a targeted attack.
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:34:34 PM
Re: This can still work
That can only happen if someone is close to you and knows the answer to your security questions or some terific hacker who has targeted you to aquire your information (like which school you went etc) which is pretty rare. 
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 1:56:15 PM
Re: This can still work
That's why I said 'targeted' attack. Yes, most attempts to steal data are just looking for weak points, using automations, etc. ie: going after no-one in particular. However, if someone wants to get into YOUR stuff, this is about the most crazy protection method around, as most of the questions are stuff the attacker could easily figure out.
tzubair
50%
50%
tzubair,
User Rank: Ninja
5/25/2015 | 5:41:19 PM
Re: This can still work
" However, if someone wants to get into YOUR stuff, this is about the most crazy protection method around, as most of the questions are stuff the attacker could easily figure out."

@stevew928: I agree. Most of the times the attackers are launching general targets because they often have no fixed information about which account is the most and the least secure in the network. However, once an individual system is compromised, essentially the whole network becomes vulnerable.
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
5/28/2015 | 4:23:21 PM
Re: This can still work
I have a colleague who cannot remember his gmail password or the obscure answers to the security questions he created.  Lucky for him his ipad automatically logs him in so he can read his mail from there.  Otherwise he's locked out.  Gmail has told him he's basically out of luck.  This is what happens sometimes when you try to outsmart everyone - including yourself.  It's a very interesting dynamic.
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/29/2015 | 1:55:37 AM
Re: This can still work
Tell him... two words... password manager!
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
5/28/2015 | 11:38:46 PM
Re: This can still work
This sounds like the plot to a science fiction movie or fantasy movie where a ghost or someone in the future tells a liaison some secret detail about another person --- something no one else would know but them --- in order to earn their trust. (Didn't that happen in the movie Ghost?) Anyway, there's got to be facts about a person that no one else would know but them ... it may take personalized questions with more than one-word responses, but it's gotta be possible.
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:41:53 PM
Re: This can still work
@moarsauce: your idea is pretty good, except for the fact that google's question bank can easily be revealed, suppose if someone asked a basic question on Quora "What are the type of questions Google ask in order to make something more secure?" and you'll get a myriad of answers and there you have it. Similarly answers may be revealed as well. After that its all a game of mix and match until the right couple of question and answer is found.
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 11:32:34 AM
Worst ever... insecure BY DESIGN!
This is one of the most idiotic account authentication methods devised... yet widely used. That said, you can actually make them pretty sucure if you just ignore what they are and make up your own rules. Just pick one of the questions and have your *password manager* (You're using one of those, right?) fill in some random text as the answer. The annoying thing is you need to remember to copy this into your password manager, as otherwise you won't know the answer either. (So, copy both the question and random answer into your password manager for future reference.)
jastroff
50%
50%
jastroff,
User Rank: Ninja
5/25/2015 | 12:52:59 PM
Re: Worst ever... insecure BY DESIGN!
I never thought of using my pw manager for this purpose, but you do have a point

>>  That said, you can actually make them pretty sucure if you just ignore what they are and make up your own rules. Just pick one of the questions and have your *password manager* (You're using one of those, right?) fill in some random text as the answer.

 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/25/2015 | 7:53:43 AM
Agreed
My bank actually uses one of the securiy questions mentioned in this piece. I keep waiting for them to put something more complicated in there but nope, still going strong years later. Fortunately I lie on mine with something nonsensical to make it a bit harder at least. 
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll