A new in-depth study from Google reveals that the security questions most individuals use as an additional layer of security are often less secure and easier to guess than user-chosen passwords. This is especially problematic given that security questions are often the only line of defense when a password is forgotten and needs to be resent or reset.
Interestingly enough, Google found that security questions tend to be weak because many individuals lie when answering them. Specifically, Google discovered that many people who provide fake answers to security questions do so to make them harder to guess. But as it turns out, “on aggregate this behavior had the opposite effect as people harden their answers in a predictable way.” Compounding the problem is that many users, as a result, also have a difficult time remembering their security question answers in the first place. This is especially true when the questions chosen are exceedingly specific.
In crafting security questions, websites need to strike a fine balance between questions that are easy for user’s to answer but hard for third parties to guess. Google finds that this balance is almost never reached.
“Comparing question strength and memorability reveals that the questions that are potentially the most secure (e.g what is your first phone number) are also the ones with the worst memorability,” the paper’s abstract reads. “We conclude that it appears next to impossible to find secret questions that are both secure and memorable.”
For instance, the study found that of the more secure questions, such as “What is your frequent flyer number”, only 9% of users who opted to answer this question were able to recall it.
The study further states that attacks against personal security questions are particularly dangerous because there are many shared answers across large numbers of users.
For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question “Favorite food?”
… With 10 guesses an attacker would be able to guess 39% of Korean-speaking users’ answers to “City of birth?”
As for English-speakers favorite food, the most common answer is, not too surprisingly, “pizza.”
Another problem identified by Google is that some security questions are far too narrow in their construction and inherently limit the number of possible answers from the start. For example, a security question which asks “Who is your favorite superhero?” only makes things easier for individuals looking to bypass a user’s security questions.
While some sites have added additional layers of security to password recovery via items like SMS recovery, many websites still employ security questions exclusively. And as Google’s research report lays out in precise detail, those questions are nto nearly as secure as one would like to think.