Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:25 PM
Connect Directly

Google: Account Recovery Security Questions Not Very Secure

An analysis of millions of answers to security questions show many are predictable and easily guessable, says Google.

The security questions that many websites ask to help users gain or recover access to online accounts do little to improve security. In fact, they are neither reliable nor secure enough to be used as a standalone authentication mechanism for account recovery purposes, Google said in a new report.

Researchers at the company analyzed hundreds of millions of answers to secret questions that people have provided to Google over the years after forgetting their passwords or being asked to provide additional authentication to gain access to their accounts.

They then set out to see how easy or difficult it would be for malicious actors to try and guess those answers and discovered that it is easier than many might assume.

With a single guess, an attacker would have a nearly 20 percent chance of accurately guessing that an average English-speaking user’s answer to the security question “What is your favorite food” would be "pizza."

In about 10 guesses, they’d have the correct answer to an Arabic-speaking user’s first teacher’s name, a 21 percent chance of guessing a Spanish-speaking user’s father’s middle name, a nearly four in 10 chance of guessing a Korean user’s city of birth and a 43 percent chance of correctly guessing their favorite food.

One problem, according to Google researchers Elie Bursztein and Ilan Caron is that people often tend to fib when choosing their responses to security questions. A survey of Internet users that Google conducted showed that about 37 percent admitted to providing fake answers to security questions apparently in a bid to make them harder to guess, the two researchers wrote in their blog post announcing the results of their analysis.

Ironically, this behavior only has the effect of making such answers easier to guess because people on aggregate tend to make their answers harder in a predictable way, the researchers said. Many users for instance had identical answers even to questions that should have generated unique responses, like "what’s your frequent flier number." That’s because in choosing to provide a fake answer, people tend to gravitate towards a predictable set of answers, the Google researchers said.

“People intentionally provide false answers to their questions thinking this will make them harder to guess. However this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.”

At the same time, people who chose difficult secret questions had a hard time coming up with the correct response when they needed it. For example, secret questions like ‘what’s your library card number’ or ‘what is your frequent flier number’ are generally very secure but had recall rates of just 22 percent and 9 percent, Google said. In contrast, easier questions like those pertaining to a parent’s middle name had a much higher success rate.

What the research showed, according to Bursztein and Caron, is that answers to security questions are either somewhat secure or easy to remember, but seldom both.

Asking users to respond to more than one question can make it much harder for attackers to break into an account through guesswork, they noted. But it makes things difficult for users as well. Most users for example have little problem remembering the city they were born in or their father’s middle name. An attacker would only have a 6.9 percent chance and a 14.6 percent chance of correctly guessing either in 10 tries and an even slimmer 1 percent chance when confronted with both questions at the same time.

But the ability for users to remember both answers correctly too drops from an average of around 75 percent to about 59 percent. “Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result,” Bursztein and Caron said.

A more secure approach for website owners may be to use other authentication mechanisms such as one time codes sent via SMS or to secondary email addresses, they said. “These are both safer, and offer a better user experience,” the researchers said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/26/2015 | 2:46:52 PM
The Fault is in the Questioner not the Questioned
I agree that this represents a major security flaw. But the issue resides with the provider of the security questions. The questions cannot be generic, "What's your favorite food or color" because there is only a very small amount of choices that could be selected.

Something to the effect of what hospital were you born at, etc is more difficult to predict but can be discerned through research. All in all, these types of security mechanisms are weak. "What we know" is weaker than "What we have", so why not transition entirely to separate device authentication? The security question is a prelavent mechanism that seems antiquated.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/22/2015 | 10:37:05 PM
Weak links in the chain
On the one hand, it can be tempting to think that the user who allows their password backdoor to be something as simple as identifying that their favorite food is pizza deserves what they get.

On the other hand, cumulatively speaking, each vulnerable user collectively makes everyone else vulnerable because it then makes the encrypted data -- should that ever become compromised -- easier to decrypt.

(Case in point: Adobe)

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.