Lost your password? Google study says beware the not-so-secure security questions

FILE - In this June 16, 2013 file photo, Internet users browse their Facebook website by the free wifi internet service in an underground station in Hong Kong. This week's news that a Russian crime ring has amassed some 1.2 billion username and password combinations makes now a good time to review ways to protect yourself online. The hacking misdeeds were described in a New York Times story based on the findings of Hold Security, a Milwaukee firm that has a history of uncovering online security breaches. (AP Photo/Kin Cheung, File) — FILE – In this June 16, 2013 file photo, Internet users browse their Facebook website by the free wifi internet service in an underground station in Hong Kong. This week’s news that a Russian crime ring has amassed some 1.2 billion username and password combinations makes now a good time to review ways to protect yourself online. The hacking misdeeds were described in a New York Times story based on the findings of Hold Security, a Milwaukee firm that has a history of uncovering online security breaches. (AP Photo/Kin Cheung, File)

By Mercury News | themerc@bayareanewsgroup.com

PUBLISHED: May 21, 2015 at 10:00 a.m. | UPDATED: August 12, 2016 at 2:38 a.m.

Online security questions — posed by websites to complement or recover your password — actually aren t very secure or effective, a new study shows.

For one thing, your dad s middle name or your birthplace may be easy to guess, so there goes security. On the flip side, the system fails to be effective when the answers are too hard to remember. Or when you lie, then forget your fake answer.

Google researchers who conducted the study of hundreds of millions of secret answers and millions of account recovery claims found that 40 percent of English-speaking U.S. Google users couldn t remember their answers when asked. (The study also looked at those who speak other languages.)

Not surprisingly, the ability to remember answers decreases over time — especially for answers users might change their minds about. For questions about people s favorite food, the success rate is 74 percent a month after the answer is registered, 53 percent after 3 months and 47 percent after a year. The success rates for factual answers such as phone number is better, but that information can be looked up or may be known by users contacts.

As for lying, it s true both offline and online: It backfires. Thirty-seven percent of responders said they gave fake answers to improve security, 31.9 percent said they did it for privacy reasons, and 15 percent said they lied to make the answer easier to remember, though the effect is the exact opposite, the researchers said. In addition, the study found that 4.2 percent of English-speaking users have the same frequent flyer number and 0.4 percent have the same phone number — because some people lied. These untruthful answers significantly weaken the potentially most secure questions, the researchers said.

The researchers said the findings show why Google favors email and SMS as a means of account recovery. The success rate of SMS is 20 percent better than even the most successful secret answer language/population bucket, according to the study. Email s success rate is 14.5 percent better.

Still, the researchers said no mechanism is perfect. For example, SMS won t be useful if users don t have access to their phones. So they said there s a place for personal-knowledge questions, especially if they can be secure and easy to remember.

(HT TechCrunch)

Photo from Associated Press