Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:25 PM
Connect Directly

Google: Account Recovery Security Questions Not Very Secure

An analysis of millions of answers to security questions show many are predictable and easily guessable, says Google.

The security questions that many websites ask to help users gain or recover access to online accounts do little to improve security. In fact, they are neither reliable nor secure enough to be used as a standalone authentication mechanism for account recovery purposes, Google said in a new report.

Researchers at the company analyzed hundreds of millions of answers to secret questions that people have provided to Google over the years after forgetting their passwords or being asked to provide additional authentication to gain access to their accounts.

They then set out to see how easy or difficult it would be for malicious actors to try and guess those answers and discovered that it is easier than many might assume.

With a single guess, an attacker would have a nearly 20 percent chance of accurately guessing that an average English-speaking user’s answer to the security question “What is your favorite food” would be "pizza."

In about 10 guesses, they’d have the correct answer to an Arabic-speaking user’s first teacher’s name, a 21 percent chance of guessing a Spanish-speaking user’s father’s middle name, a nearly four in 10 chance of guessing a Korean user’s city of birth and a 43 percent chance of correctly guessing their favorite food.

One problem, according to Google researchers Elie Bursztein and Ilan Caron is that people often tend to fib when choosing their responses to security questions. A survey of Internet users that Google conducted showed that about 37 percent admitted to providing fake answers to security questions apparently in a bid to make them harder to guess, the two researchers wrote in their blog post announcing the results of their analysis.

Ironically, this behavior only has the effect of making such answers easier to guess because people on aggregate tend to make their answers harder in a predictable way, the researchers said. Many users for instance had identical answers even to questions that should have generated unique responses, like "what’s your frequent flier number." That’s because in choosing to provide a fake answer, people tend to gravitate towards a predictable set of answers, the Google researchers said.

“People intentionally provide false answers to their questions thinking this will make them harder to guess. However this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.”

At the same time, people who chose difficult secret questions had a hard time coming up with the correct response when they needed it. For example, secret questions like ‘what’s your library card number’ or ‘what is your frequent flier number’ are generally very secure but had recall rates of just 22 percent and 9 percent, Google said. In contrast, easier questions like those pertaining to a parent’s middle name had a much higher success rate.

What the research showed, according to Bursztein and Caron, is that answers to security questions are either somewhat secure or easy to remember, but seldom both.

Asking users to respond to more than one question can make it much harder for attackers to break into an account through guesswork, they noted. But it makes things difficult for users as well. Most users for example have little problem remembering the city they were born in or their father’s middle name. An attacker would only have a 6.9 percent chance and a 14.6 percent chance of correctly guessing either in 10 tries and an even slimmer 1 percent chance when confronted with both questions at the same time.

But the ability for users to remember both answers correctly too drops from an average of around 75 percent to about 59 percent. “Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result,” Bursztein and Caron said.

A more secure approach for website owners may be to use other authentication mechanisms such as one time codes sent via SMS or to secondary email addresses, they said. “These are both safer, and offer a better user experience,” the researchers said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/26/2015 | 2:46:52 PM
The Fault is in the Questioner not the Questioned
I agree that this represents a major security flaw. But the issue resides with the provider of the security questions. The questions cannot be generic, "What's your favorite food or color" because there is only a very small amount of choices that could be selected.

Something to the effect of what hospital were you born at, etc is more difficult to predict but can be discerned through research. All in all, these types of security mechanisms are weak. "What we know" is weaker than "What we have", so why not transition entirely to separate device authentication? The security question is a prelavent mechanism that seems antiquated.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/22/2015 | 10:37:05 PM
Weak links in the chain
On the one hand, it can be tempting to think that the user who allows their password backdoor to be something as simple as identifying that their favorite food is pizza deserves what they get.

On the other hand, cumulatively speaking, each vulnerable user collectively makes everyone else vulnerable because it then makes the encrypted data -- should that ever become compromised -- easier to decrypt.

(Case in point: Adobe)

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...