Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:25 PM
Connect Directly

Google: Account Recovery Security Questions Not Very Secure

An analysis of millions of answers to security questions show many are predictable and easily guessable, says Google.

The security questions that many websites ask to help users gain or recover access to online accounts do little to improve security. In fact, they are neither reliable nor secure enough to be used as a standalone authentication mechanism for account recovery purposes, Google said in a new report.

Researchers at the company analyzed hundreds of millions of answers to secret questions that people have provided to Google over the years after forgetting their passwords or being asked to provide additional authentication to gain access to their accounts.

They then set out to see how easy or difficult it would be for malicious actors to try and guess those answers and discovered that it is easier than many might assume.

With a single guess, an attacker would have a nearly 20 percent chance of accurately guessing that an average English-speaking user’s answer to the security question “What is your favorite food” would be "pizza."

In about 10 guesses, they’d have the correct answer to an Arabic-speaking user’s first teacher’s name, a 21 percent chance of guessing a Spanish-speaking user’s father’s middle name, a nearly four in 10 chance of guessing a Korean user’s city of birth and a 43 percent chance of correctly guessing their favorite food.

One problem, according to Google researchers Elie Bursztein and Ilan Caron is that people often tend to fib when choosing their responses to security questions. A survey of Internet users that Google conducted showed that about 37 percent admitted to providing fake answers to security questions apparently in a bid to make them harder to guess, the two researchers wrote in their blog post announcing the results of their analysis.

Ironically, this behavior only has the effect of making such answers easier to guess because people on aggregate tend to make their answers harder in a predictable way, the researchers said. Many users for instance had identical answers even to questions that should have generated unique responses, like "what’s your frequent flier number." That’s because in choosing to provide a fake answer, people tend to gravitate towards a predictable set of answers, the Google researchers said.

“People intentionally provide false answers to their questions thinking this will make them harder to guess. However this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.”

At the same time, people who chose difficult secret questions had a hard time coming up with the correct response when they needed it. For example, secret questions like ‘what’s your library card number’ or ‘what is your frequent flier number’ are generally very secure but had recall rates of just 22 percent and 9 percent, Google said. In contrast, easier questions like those pertaining to a parent’s middle name had a much higher success rate.

What the research showed, according to Bursztein and Caron, is that answers to security questions are either somewhat secure or easy to remember, but seldom both.

Asking users to respond to more than one question can make it much harder for attackers to break into an account through guesswork, they noted. But it makes things difficult for users as well. Most users for example have little problem remembering the city they were born in or their father’s middle name. An attacker would only have a 6.9 percent chance and a 14.6 percent chance of correctly guessing either in 10 tries and an even slimmer 1 percent chance when confronted with both questions at the same time.

But the ability for users to remember both answers correctly too drops from an average of around 75 percent to about 59 percent. “Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result,” Bursztein and Caron said.

A more secure approach for website owners may be to use other authentication mechanisms such as one time codes sent via SMS or to secondary email addresses, they said. “These are both safer, and offer a better user experience,” the researchers said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/26/2015 | 2:46:52 PM
The Fault is in the Questioner not the Questioned
I agree that this represents a major security flaw. But the issue resides with the provider of the security questions. The questions cannot be generic, "What's your favorite food or color" because there is only a very small amount of choices that could be selected.

Something to the effect of what hospital were you born at, etc is more difficult to predict but can be discerned through research. All in all, these types of security mechanisms are weak. "What we know" is weaker than "What we have", so why not transition entirely to separate device authentication? The security question is a prelavent mechanism that seems antiquated.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/22/2015 | 10:37:05 PM
Weak links in the chain
On the one hand, it can be tempting to think that the user who allows their password backdoor to be something as simple as identifying that their favorite food is pizza deserves what they get.

On the other hand, cumulatively speaking, each vulnerable user collectively makes everyone else vulnerable because it then makes the encrypted data -- should that ever become compromised -- easier to decrypt.

(Case in point: Adobe)

Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.