A new in-depth study from Google reveals that the security questions most individuals use as an additional layer of security are often less secure and easier to guess than user-chosen passwords. This is especially problematic given that security questions are often the only line of defense when a password is forgotten and needs to be resent or reset.
Interestingly enough, Google found that security questions tend to be weak because many individuals lie when answering them. Specifically, Google discovered that many people who provide fake answers to security questions do so to make them harder to guess. But as it turns out, “on aggregate this behavior had the opposite effect as people harden their answers in a predictable way.” Compounding the problem is that many users, as a result, also have a difficult time remembering their security question answers in the first place. This is especially true when the questions chosen are exceedingly specific.