AfterDawn: Tech news

Google: Why 'Security Questions' suck for security

Written by James Delahunty (Google+) @ 22 May 2015 0:36 User comments (5)

Google: Why 'Security Questions' suck for security After some really interesting research results, Google is raising awareness about how unreliable "Security Questions" are for legitimate login authentication, password recovery and more.
Providers of Internet services have long asked their users to provide answers to questions about themselves which may be used for identity verification later. Typically, these questions are asked if a login is suspicious (unfamiliar location etc.) or as a layer of a password recovery process.

It turns out that this is an extremely unreliable layer of security. Hundreds of millions of secret question and answer combinations were analysed by Google, with the goal of (among other things) determining how likely it would have been for an attacker to guess the answers correctly.
See Also: Android reset flaw affects 500 million+ devices
See Also: Adult Dating Site hacked, sensitive user information leaked
One thing Google noted in its research is that answers tend to either be fairly secure while difficult to remember, or easy to remember while being insecure. There isn't much middle ground.

Easy and Insecure vs. Difficult and Secure

Sometimes answers can be guessed very easily. For example, Google found that an attacker had a 19.7 percent chance of answering "What is your favorite food?" correctly if the account holder speaks English. The answer? Pizza!

It also found that in some regions, last names are common and so a "mother's maiden name" could be guessed correctly. Then of course, you have to remember that some information can be found rather easily if the target has a social media account, such as a Pet's name, a city of birth, and so on (assuming the attacker knows the victim's identity well enough).

When it comes to difficult questions, the success rate is simply abysmal. For example, only 22 percent could remember their library card number, and 9 percent could remember their frequent flyer number, when prompted to do so.

The highest success rate came for the questions, "What city were you born in?" and, "What is your father's middle name?", with 79 percent and 74 percent answering correctly, respectively.

What Google recommends to services and users

Firstly, can the "Security Questions" layer be made more secure by simply adding more questions? The answer is no, because the more questions you add, the less likely an account owner will be able to answer them all correctly. For this reason, Google only ever asks one question, and it's the last resort when it has exhausted other means of verification.

Even for questions with a high success rate, there is a significant drop when they are asked together. If users are asked both their city of birth and their father's middle name, only 59 percent will manage to recall both.

The answer instead is to use more reliable forms of identity verification. Google recommends SMS and/or a backup e-mail address to which a unique code can be delivered. Security Questions should never be considered standalone verification of identity.

As for users, Google recommends you make sure your Security Questions across your accounts contain correct information and that you don't make the mistake of giving false answers under the illusion of increased security, given the chance it could backfire later on.


Sources & Recommended Reading:
New Research: Some Tough Questions for 'Security Questions': googleonlinesecurity.blogspot.com (+infographic!)
Paper summarizing Google's findings, presented at WWW 2015: research.google.com

Tags: Google
Previous Next  

5 user comments

122.5.2015 0:56

there just a major annoyance, I've been using the Biggest no no passwords known to man and I've never had any account compromised ever. Needing passwords that are as long as paragraphs, they're just a turn off, if i cant use a password like Big$Billy then I'm not going to bother with your service.


Powered By

222.5.2015 10:51

One of the banks that I use let's you create your own security questions. I've selected some very obscure questions related to my childhood. The answers are easy for me to remember but would be extremely difficult for someone to guess. None of the answers involve names, places, pets, etc. Even the questions would make someone go, "Huh?".

323.5.2015 8:37

Originally posted by aw2600:
One of the banks that I use let's you create your own security questions. I've selected some very obscure questions related to my childhood. The answers are easy for me to remember but would be extremely difficult for someone to guess. None of the answers involve names, places, pets, etc. Even the questions would make someone go, "Huh?".
This is much better implementation than most of the ones I see. I wish more companies did it this way, because you'd think it was inherently problematic asking everyone the same questions which have a limited number of possible responses.

424.5.2015 20:25

Originally posted by DXR88:
there just a major annoyance, Ive been using the Biggest no no passwords known to man and Ive never had any account compromised ever. Needing passwords that are as long as paragraphs, theyre just a turn off, if i cant use a password like Big$Billy then Im not going to bother with your service.
www.paypal.com DXR88:Big$Billy

Thanks for the 70inch LCD TV - LOL

525.5.2015 1:23

I've had instances where none of the questions had an answer that wouldn't change over time, or they simply had no answer.

What's your father's middle name? My father had no middle name.

What was the name of your favorite childhood pet? I never had any pets.

What model was your first car? Many people never owned a car.

In what city were you born? Is St Paul? or St. Paul? or Saint Paul?

What's your favorite movie? I dont really have a favorite. Or, more accurately, I have a lot. And the list changes as new movies come out.

And so it goes, ad infinitum...

Comments have been disabled for this article.

News archive