We’re reminded on a regular basis that password security is of the utmost importance. Concepts like selecting strong passwords, using unique passwords for each login and not sharing your passwords are general knowledge at this point although many choose to ignore the advice.
Unsurprisingly, we’re also just as bad when it comes to providing answers to security questions when signing up for a new site or service but it's not always the user's fault.
Security questions are designed to provide an extra layer of security or to help recover a password that you no longer remember. But as data from a recent study conducted by Google’s security team reveals, they generally offer even less security than the passwords themselves.
People often choose answers that are easy to remember which by nature, aren’t very secure because the answers often contain commonly known or publicly available information. Examples of popular security questions include asking the name of your first pet, your favorite food or your mother’s maiden name.
Conversely, difficult answers are often too tough to remember and thus, defeat the entire purpose of a security question. The team found that 40 percent of English-speaking users in the US couldn’t recall their secret question answers when needed.
Some of the safest questions, like asking for a user’s library card number or their frequent flyer number, only had a recall rate of 22 percent and nine percent, respectively.
The team’s findings, summarized in a paper recently presented at WWW 2015, led them to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.