Security question answers are less secure than the passwords they help protect

Shawn Knight

Posts: 15,240   +192
Staff member

google study shows security questions secure passwords credentials login credentials security questions usernames

We’re reminded on a regular basis that password security is of the utmost importance. Concepts like selecting strong passwords, using unique passwords for each login and not sharing your passwords are general knowledge at this point although many choose to ignore the advice.

Unsurprisingly, we’re also just as bad when it comes to providing answers to security questions when signing up for a new site or service but it's not always the user's fault.

Security questions are designed to provide an extra layer of security or to help recover a password that you no longer remember. But as data from a recent study conducted by Google’s security team reveals, they generally offer even less security than the passwords themselves.

google study shows security questions secure passwords credentials login credentials security questions usernames

People often choose answers that are easy to remember which by nature, aren’t very secure because the answers often contain commonly known or publicly available information. Examples of popular security questions include asking the name of your first pet, your favorite food or your mother’s maiden name.

Conversely, difficult answers are often too tough to remember and thus, defeat the entire purpose of a security question. The team found that 40 percent of English-speaking users in the US couldn’t recall their secret question answers when needed.

Some of the safest questions, like asking for a user’s library card number or their frequent flyer number, only had a recall rate of 22 percent and nine percent, respectively.

The team’s findings, summarized in a paper recently presented at WWW 2015, led them to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

Permalink to story.

 
It is pathetic how weak all these so-called "advanced" security measures have been.
 
Simple fix, most of these questions just use a text field for the answer which means it does not have to be related or exactly correct. Example: What is your favorite food? Standard Answer: steak, Modified Answers: steak25, stake, Mary, Blue, etc.
 
Simple fix, most of these questions just use a text field for the answer which means it does not have to be related or exactly correct. Example: What is your favorite food? Standard Answer: steak, Modified Answers: steak25, stake, Mary, Blue, etc.

Indeed.

Q: Where did you go to school?
A: Trimethylolpropane7
 
My complaint is the stupid security questions that no one (including yourself) or everyone has the answer to. And that is without the option to include your own question, of which you know you are the only one that could answer.
 
It is pathetic how weak all these so-called "advanced" security measures have been.
They aren't weak, it's just that humans are predictable and really not as unique as most think they are. When so many things are common between a large amount of people things like this become weaker not because of the mechanic but because of people. Then again since the answers can be anything you want putting in the ACTUAL answer is not the smartest idea, I never use the actual answers for the questions I switch things up and add in numbers so that only I would figure it out.
 
Symmetric keys are often compromised . this problem will not be solved until people listen and switch to public key encryption where the public and private keys are not the same
 
I always try my best to skip such security questions because:
a) if I give it the real info, chances are it's easy to guess
b) if I give it fake info (like davislane1 suggested), chances are I'll probably forget what I typed in

IMHO the only modern auth solution that actually helps with security is two-factor authentication.
If done properly an attacker has far fewer chances of getting in and it's also a very end-user friendly solution (copy-paste SMS/email pin code and you're done).
 
Back