When it comes to recovering our account details, we are all familiar with questions such as “what is the name of your favorite sports team” or “what city were you born in”. Know the answer to this question and you’re well on your way to resetting a password and getting back into your account.
However, Google has just released a paper documenting its findings after analyzing the strength of hundreds of millions of secret questions and answers.
The findings led the search giant to conclude that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.”
The most obvious example of a weak secret question in action was the answer to “what is your favorite food”, giving hackers a 19.7% chance of cracking it in a single guess among English-speaking users.
On the other hand, just as with passwords, secure answers to secret questions are often very difficult to remember. One example of a strong secret answer was “what is your frequent flyer number” but that only had a recall rate of 22%.
So if easy to remember answers are too simple and secure answers are too difficult to remember, what should we do?
The most important recommendation that Google provided to adding extra security to the account recovery process was to add an SMS or secondary email address. Just like adding two-factor authentication for a password, including one of these two extra steps will help dramatically reduce the risk that an attacker could maliciously recover your account details.
For more information on Google’s report check out the infographic below:
May 26, 2015