1. Computing

Google warns that security questions aren’t that secure

By

Enterprise network security
Though we mainly see them online these days, security questions predate the Internet by quite a bit. Banks, for example, have commonly used questions like “what is your mother’s maiden name?” since the beginning of the 20th century. There’s a problem though: Google says that despite their widespread use, security questions aren’t actually all that secure.

The main problem with security questions is that they’re either easy to remember or hard to guess, but very rarely both, according to a research paper Google recently presented at WWW 2015.

Google has a unique advantage when it comes to studying this subject, as it has access to a huge amount of data. A team of researchers analyzed “hundreds of millions” of questions and answers that had been used for Google account recovery claims, according to a post on the Google Online Security Blog.

The researchers found that many of the most common questions could be answered correctly within ten guesses, with a success rate between 21 and 39 percent, depending on the question. With a single guess, an attacker had a nearly 20 percent chance of guessing the answer to the question “what is your favorite food?” The usual answer? Pizza.

You may have seen advice that answering security questions with “wrong” answers is a better tactic, but Google’s researchers found that this often backfired, making the answers not harder but easier to guess, as many third parties choose the same false answers.

The problem is compounded by the fact that answers that are more difficult to guess are also more difficult to remember. Research shows that using two different security questions reduced an attacker’s chance to correctly guess the answer within ten attempts to less than one percent, but that users only remembered the answers to both questions 59 percent of the time.

So what are we supposed to do? Google proposes avoiding security questions entirely, using backup codes sent via text message or other forms of two-factor authentication instead. It isn’t as easy, but it is more secure.

For more information, see the full paper, enticingly entitled Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google, which is available for free on Google Research.

Editors' Recommendations

Update Google Chrome now to patch this critical security flaw

A MacBook with Google Chrome loaded.

VPN Free Trial: All the services that offer a free trial in 2021

private internet access vpn on sale right now best services feat 720x720

Don’t believe the marketing! Robot chefs aren’t what you think they are

mckinsey automation job change replacement robotics moley robot chef hands screen

The 52 best shows on Amazon Prime Video right now

The Boys Season 2, on Amazon Prime

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

Google’s Pixel 6 Pro’s specs come into focus after comprehensive leak

Google Pixel 6 colors.

Best cheap Mac Mini deals for September 2021

Apple Mac Mini 2018

How to track your stats in Call of Duty: Warzone

Hudson from Call of Duty: Black Ops Cold War.

Verizon Business is practically giving away the iPhone 12 for free in September

Apple iPhone 12 Pro

Best cheap Instant Pot deals for September 2021

instant pot duo crisp duo80 duo60 bestbuy walmart deals 60 7 in 1

Best cheap Ninja Foodi deals for September 2021

amazon drops ninja op302 foodi price cooker4

Best cheap Nest Thermostat deals for September 2021

amazon slashes prices on google nest smart thermostats for black friday thermostat e 1

Best cheap air fryer deals for September 2021: Instant Pot, Ninja, and Dash

bella pro cuisinart chefman instant vortex plus air fryer deals amazon best buy early memorial day sales 6 in 1