Lost your password? Google study says beware the not-so-secure security questions

Online security questions — posed by websites to complement or recover your password — actually aren’t very secure or effective, a new study shows.

For one thing, your dad’s middle name or your birthplace may be easy to guess, so there goes security. On the flip side, the system fails to be effective when the answers are too hard to remember. Or when you lie, then forget your fake answer.

Google researchers who conducted the study of “hundreds of millions of secret answers and millions of account recovery claims” found that 40 percent of English-speaking U.S. Google users couldn’t remember their answers when asked. (The study also looked at those who speak other languages.)

Not surprisingly, the ability to remember answers decreases over time — especially for answers users might change their minds about. For questions about people’s favorite food, the success rate is 74 percent a month after the answer is registered, 53 percent after 3 months and 47 percent after a year. The success rates for factual answers such as phone number is better, but that information can be looked up or may be known by users’ contacts.

As for lying, it’s true both offline and online: It backfires. Thirty-seven percent of responders said they gave fake answers to improve security, 31.9 percent said they did it for privacy reasons, and 15 percent said they lied to make the answer easier to remember, “though the effect is the exact opposite,” the researchers said. In addition, the study found that 4.2 percent of English-speaking users have the “same” frequent flyer number and 0.4 percent have the same phone number — because some people lied. “These untruthful answers significantly weaken the potentially most secure questions,” the researchers said.

The researchers said the findings show why Google favors email and SMS as a means of account recovery. The success rate of SMS is 20 percent better than “even the most successful secret answer language/population bucket,” according to the study. Email’s success rate is 14.5 percent better.

Still, the researchers said “no mechanism is perfect.” For example, SMS won’t be useful if users don’t have access to their phones. So they said there’s a place for personal-knowledge questions, especially if they can be secure and easy to remember.

(HT TechCrunch)


Photo from Associated Press


Tags: , , , , ,


Share this Post