TechSpot

Security question answers are less secure than the passwords they help protect

By Shawn Knight
May 22, 2015
Post New Reply
  1. google study shows security questions secure passwords credentials login credentials security questions usernames

    We’re reminded on a regular basis that password security is of the utmost importance. Concepts like selecting strong passwords, using unique passwords for each login and not sharing your passwords are general knowledge at this point although many choose to ignore the advice.

    Unsurprisingly, we’re also just as bad when it comes to providing answers to security questions when signing up for a new site or service but it's not always the user's fault.

    Security questions are designed to provide an extra layer of security or to help recover a password that you no longer remember. But as data from a recent study conducted by Google’s security team reveals, they generally offer even less security than the passwords themselves.

    google study shows security questions secure passwords credentials login credentials security questions usernames

    People often choose answers that are easy to remember which by nature, aren’t very secure because the answers often contain commonly known or publicly available information. Examples of popular security questions include asking the name of your first pet, your favorite food or your mother’s maiden name.

    Conversely, difficult answers are often too tough to remember and thus, defeat the entire purpose of a security question. The team found that 40 percent of English-speaking users in the US couldn’t recall their secret question answers when needed.

    Some of the safest questions, like asking for a user’s library card number or their frequent flyer number, only had a recall rate of 22 percent and nine percent, respectively.

    The team’s findings, summarized in a paper recently presented at WWW 2015, led them to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

    Permalink to story.

     
  2. MoeJoe

    MoeJoe TS Maniac Posts: 401   +208

    It is pathetic how weak all these so-called "advanced" security measures have been.
     
  3. Simple fix, most of these questions just use a text field for the answer which means it does not have to be related or exactly correct. Example: What is your favorite food? Standard Answer: steak, Modified Answers: steak25, stake, Mary, Blue, etc.
     
  4. davislane1

    davislane1 TS Evangelist Posts: 3,554   +2,361

    Indeed.

    Q: Where did you go to school?
    A: Trimethylolpropane7
     
  5. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 8,555   +2,898

    My complaint is the stupid security questions that no one (including yourself) or everyone has the answer to. And that is without the option to include your own question, of which you know you are the only one that could answer.
     
    spectrenad likes this.
  6. Camikazi

    Camikazi TS Maniac Posts: 817   +231

    They aren't weak, it's just that humans are predictable and really not as unique as most think they are. When so many things are common between a large amount of people things like this become weaker not because of the mechanic but because of people. Then again since the answers can be anything you want putting in the ACTUAL answer is not the smartest idea, I never use the actual answers for the questions I switch things up and add in numbers so that only I would figure it out.
     
  7. MikeAcker

    MikeAcker TS Enthusiast Posts: 30

    Symmetric keys are often compromised . this problem will not be solved until people listen and switch to public key encryption where the public and private keys are not the same
     
  8. Captain828

    Captain828 TS Guru Posts: 287   +10

    I always try my best to skip such security questions because:
    a) if I give it the real info, chances are it's easy to guess
    b) if I give it fake info (like davislane1 suggested), chances are I'll probably forget what I typed in

    IMHO the only modern auth solution that actually helps with security is two-factor authentication.
    If done properly an attacker has far fewer chances of getting in and it's also a very end-user friendly solution (copy-paste SMS/email pin code and you're done).
     
  9. DaveBG

    DaveBG TS Addict Posts: 231   +74

    Yet many sites use this crap just to annoy its users... damn
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...