Google Warns Password Security Questions Aren't That Secure

Having analyzed hundreds of thousands of security questions and answers, Google has revealed just how easy it is for a hacker to break into an account.

As it turns out, asking "what is your favorite food?" isn't so safe after all — 19.7 percent of English speakers respond, "pizza."

"Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism," Google said in a blog post. "That's because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember — but rarely both."

There are a number of reasons why "pizza" is a bad decision. Not only is it a common answer, but according to Google's study, people often forget what their favorite food is. The success rate of getting that question right is only 74 percent after a month, 53 percent after three months and 47 percent after a year.

Using names as answers isn't much better. Given 10 guesses, there is a 24 percent chance that a hacker could guess the name of an Arabic-speaker's first teacher. A hacker would have a 21 percent chance of guessing the middle name of a Spanish-speaker's father.

The problem is especially apparent when users make up answers to security questions rather than answering honestly. Only 4.2 percent of English speakers reportedly have the "same" frequent flyer number and just 0.4 percent have the same phone number.

In total, around 40 percent of English speakers were unable to remember the answers to any of their security questions. Those who used the question about their frequent flyer number could only remember the answer 9 percent of the time — which largely defeats the purpose of even using security question.

Google said the solution for better account security is not adding more security questions, but rather using different methods of security — such as adding a phone number or email address for account recovery.

"We strongly encourage Google users to make sure their Google account recovery information is current," the blog post read. "You can do this quickly and easily with our Security Checkup. For years, we've only used security questions for account recovery as a last resort when SMS text or back-up email addresses don't work and we will never use these as stand-alone proof of account ownership."

As time goes on, it's likely that more security methods such as biometrics will be used, making data access both easier and safer.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics