Google: Your Password Security Questions Are Terrible - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Life
News
5/22/2015
01:10 PM
50%
50%

Google: Your Password Security Questions Are Terrible

You might want to think twice about using an easy-to-remember security question for your protected accounts, according to a Google study.

Windows 10 Patch Strategy: IT Dream Or Nightmare?
Windows 10 Patch Strategy: IT Dream Or Nightmare?
(Click image for larger view and slideshow.)

Despite the widespread popularity of security questions as an added layer of password-based security, a study by Google suggests secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

The findings suggest users' answers are either somewhat secure or easy to remember, but rarely both.

With a single guess, an attacker would have a nearly 20% chance of guessing English-speaking users' answers to the question, "What is your favorite food?" That turns out to be pizza, naturally.

(Image: D3Damon/iStockphoto)

(Image: D3Damon/iStockphoto)

"Secret questions have long been a staple of authentication and account recovery online," Elie Bursztein, Google's anti-abuse research lead, and Ilan Caron, a Google software engineer, wrote on the company's Online Security blog. "But, given these findings it's important for users and site owners to think twice about these."

In addition, 40% of Google's English-speaking US users couldn't recall their secret-question answers when they needed to.

These same users, meanwhile, could recall reset codes sent to them through SMS text messages more than 80% of the time and through email nearly 75% of the time.

A user's father's middle name and the city where the user were born are among the most popular security questions on offer, which would give hackers a 6.9% and 14.6% chance to correctly guess the answers within 10 tries.

The problem is a worldwide issue: The study found, for instance, an attacker would have a 39% chance of guessing Korean-speaking users' answers to the question, "What is your city of birth?" and a 43% chance of guessing their favorite food.

Hackers would also have a pretty good chance at figuring out answers in Arabic- and Spanish-speaking countries.

(Image: Google)

(Image: Google)

The convenience of an easy-to-remember answer dilutes the effectiveness of the concept and has found little traction among users.

The report noted that some of the potentially safest questions, such as inputting a library card number or a frequent flyer number, have only 22% and 9% recall rates.

Bursztein and Caron strongly encourage Google users to make sure their Google account recovery information is current, which can be done using the company's Security Checkup feature.

"For years, we've only used security questions for account recovery as a last resort when SMS text or back-up email addresses don't work and we will never use these as stand-alone proof of account ownership," the post noted.

[Read about bots taking over the world.]

Google suggests that site owners should use other methods of authentication, such as backup codes sent through SMS text or secondary email addresses to authenticate their users and help them regain access to their accounts. These methods, it says, are safer and offer a better user experience.

Roughly a year after the discovery of the Heartbleed security bug, which affected more than 500,000 websites and dominated national news for weeks, a survey of 2,000 American adults indicated public awareness and knowledge about online privacy, security, and protection was still below the level at which it should be.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:41:53 PM
Re: This can still work
@moarsauce: your idea is pretty good, except for the fact that google's question bank can easily be revealed, suppose if someone asked a basic question on Quora "What are the type of questions Google ask in order to make something more secure?" and you'll get a myriad of answers and there you have it. Similarly answers may be revealed as well. After that its all a game of mix and match until the right couple of question and answer is found.
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:34:34 PM
Re: This can still work
That can only happen if someone is close to you and knows the answer to your security questions or some terific hacker who has targeted you to aquire your information (like which school you went etc) which is pretty rare. 
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 11:38:04 AM
Re: This can still work
Many of them don't allow people to make up their own question. But even still, if you're making up real questions with real answers, it leaves you vulnerable to a targeted attack.
stevew928
100%
0%
stevew928,
User Rank: Ninja
5/23/2015 | 11:35:20 AM
Re: The smarts with the user have to be
Exactly, using the correct answer is part of what makes it insecure. While this article is focused on guessing (which is bad enough), with a bit of research, the security could be lowered even farther for users who use this method *as intended*.
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 11:32:34 AM
Worst ever... insecure BY DESIGN!
This is one of the most idiotic account authentication methods devised... yet widely used. That said, you can actually make them pretty sucure if you just ignore what they are and make up your own rules. Just pick one of the questions and have your *password manager* (You're using one of those, right?) fill in some random text as the answer. The annoying thing is you need to remember to copy this into your password manager, as otherwise you won't know the answer either. (So, copy both the question and random answer into your password manager for future reference.)
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
5/23/2015 | 10:14:31 AM
This can still work
The key here is that the user needs to provide both the question and the answer. Yes, the user can still pick the question "What is my favorite food?" with the answer "Pizza". Hackers do not know if that question is asked and what the answer is. Of course, when requesting the additional information the user has to provide both the question and the answer.
pabbott782
50%
50%
pabbott782,
User Rank: Apprentice
5/23/2015 | 9:11:24 AM
The smarts with the user have to be
Who said the answer has to be right? Does Google check whatever you enter to make sure you're being honest? Of course not. Favourite food? Elephant-ear-on-a-bun, obviously. MOther's maiden name? TheBolivianNavyOnTheHeadOfAPin. what brings success initially? WBSI? WIth care your question can contain the answer. but I never put in the "right" answer. Unless I do.
JustinK779
50%
50%
JustinK779,
User Rank: Apprentice
5/22/2015 | 4:27:29 PM
MFAshould be required at this point
Been saying it for years now:  ever since as a society we started buying more cell-phones than computers we have been in a prime position to require MFA authentication.  There's abosultely NO reason not to do this now with a soft token or text request so accessing a webpage is a combination of what you know and what you have.  Suddenly individual identity theft is basically stopped cold and the only exploits you have to worry about are those where they manage to fundementally hack the hosting system.

Seriously:  if you are n't using MFA on at least your primary e-mail address you are asking for it.  Your e-mail is like the keys to the world (everyone lets you reset passwords using that).
TimC216
50%
50%
TimC216,
User Rank: Apprentice
5/22/2015 | 3:32:23 PM
Re: Balancing security and memory
My solution to security questions was to always answer them with answers that I would remember but that have nothing to do with the question...
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
5/22/2015 | 3:28:12 PM
Balancing security and memory
Sadly this is a great example of why even though online services try to make things secure by using a security question as a form of secondary authentication, it's never going to be safe enough.  And while I like the idea of using more random knowledge, such as a library card number or frequent flier mile number, anything that doesn't use alphanumeric answers will still find risks like current methods today.

Personally, I like when sites use a combination of "here's an image you designated" plus random text that you enter as a form of secondary authentication, but as bots get smarter, even those might see increased risks.

So is the solution to just overhaul the password methodology and look at new ways of authentication which will hopefully reduce the number of password resets that seem to increase at the same rate of the complexity requirements?
<<   <   Page 2 / 2
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll