Skip to main content
  1. Home
  2. Computing
  3. News

Google warns that security questions aren’t that secure

Kris Wouk
By

Enterprise network security
Image used with permission by copyright holder
Though we mainly see them online these days, security questions predate the Internet by quite a bit. Banks, for example, have commonly used questions like “what is your mother’s maiden name?” since the beginning of the 20th century. There’s a problem though: Google says that despite their widespread use, security questions aren’t actually all that secure.

The main problem with security questions is that they’re either easy to remember or hard to guess, but very rarely both, according to a research paper Google recently presented at WWW 2015.

Recommended Videos

Google has a unique advantage when it comes to studying this subject, as it has access to a huge amount of data. A team of researchers analyzed “hundreds of millions” of questions and answers that had been used for Google account recovery claims, according to a post on the Google Online Security Blog.

Related

The researchers found that many of the most common questions could be answered correctly within ten guesses, with a success rate between 21 and 39 percent, depending on the question. With a single guess, an attacker had a nearly 20 percent chance of guessing the answer to the question “what is your favorite food?” The usual answer? Pizza.

You may have seen advice that answering security questions with “wrong” answers is a better tactic, but Google’s researchers found that this often backfired, making the answers not harder but easier to guess, as many third parties choose the same false answers.

The problem is compounded by the fact that answers that are more difficult to guess are also more difficult to remember. Research shows that using two different security questions reduced an attacker’s chance to correctly guess the answer within ten attempts to less than one percent, but that users only remembered the answers to both questions 59 percent of the time.

So what are we supposed to do? Google proposes avoiding security questions entirely, using backup codes sent via text message or other forms of two-factor authentication instead. It isn’t as easy, but it is more secure.

For more information, see the full paper, enticingly entitled Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google, which is available for free on Google Research.

Editors' Recommendations

Topics
Kris Wouk
Kris Wouk
Former Digital Trends Contributor
Kris Wouk is a tech writer, gadget reviewer, blogger, and whatever it's called when someone makes videos for the web. In his…
No, The Last of Us PC requirements aren’t changing
Ellie looking concerned.

Sony Interactive Entertainment (SIE) released an updated PC requirement chart for The Last of Us Part One on Monday, clarifying the system requirements players will need if they want to play the game when it launches on March 28. Some reports claim that the PC requirements have been downgraded, but they haven't; if anything, the port calls for a slightly more powerful system.

The original PC requirements (below) called for a Radeon RX 5800 XT at the Recommended tier, which is to run the game at 1080p with 60 frames per second (fps). The updated requirements call for an RX 5700 XT instead. That sounds like a downgrade, but AMD never released an RX 5800 XT -- it was a typo. You don't need to look further than the next GPU recommendation to see that, which is an AMD "Radeom" RX 6600 XT. The updated requirements have fixed that typo, as well.

Read more
This devious scam app proves that Macs aren’t bulletproof
A close-up of a MacBook illuminated under neon lights.

Pirated software can cause all kinds of headaches, but Mac users might have thought themselves largely immune thanks to Apple’s reputation for solid security. Yet, that complacency could prove quite problematic, as a new strain of nearly undetectable malware has shown.

According to research from security firm Jamf Threat Labs, pirated versions of Apple’s Final Cut Pro moviemaking app have been modified to contain cryptojacking payloads. When installed, the app starts using your Mac to mine the Monero cryptocurrency behind your back, potentially slowing down your machine as system resources are illegitimately gobbled up.

Read more
You can use the power of ChatGPT in Google Slides now
The MagidSlides extension for Google Slides up close.

The prowess of OpenAI's ChatGPT continues to expand beyond its initial interface, most recently via a new Google Workspace app called MagicSlides that has surfaced to be a companion for building projects in Google Slides.

The app works as a Google Workspace plug-in, which you can install and then access from the Extensions option within a Google Slides presentation. It also requires you to have an OpenAI account, because you will need to have an API key to keep track of your usage. You can generate a key from your account in the View API keys section.

Read more