Everyone's favorite food is pizza, so when a site asks you to provide an answer for the security question What's your favorite food, don't say pizza.
Providing answers to security questions is something we're all very familiar with, as it's been a tool for account security and recovery for a long time. But are these security questions even that secure?
Apparently not, according to a new Google study. The company looked at hundreds of millions of secret questions and answers used over the years and concluded that "secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism."
The main problem is that easy answers are easy ... to guess. And more specific, harder-to-guess answers are harder ... for you to remember. Talk about a double-edged sword.
Let's take the "pizza" example. According to Google, anyone looking to break into someone else's account has a 20% chance of getting in with the answer to the "what's your favorite food" query – on the first try. That's because everyone says "pizza".
Also, if you think lying is going to trip someone up, think again:
"Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as "What’s your phone number?" or "What’s your frequent flyer number?". We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in," says Google.
On the other side of the sword, you have the tougher security questions that merit more specific answers. For instance, What's your frequent flyer number?
Surprise, surprise: it’s not easy to remember where your mother went to elementary school, or what your library card number is! Difficult secret questions and answers are often hard to use. Here are some specific findings:
- 40% of our English-speaking US users couldn’t recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.
- Some of the potentially safest questions—"What is your library card number?" and "What is your frequent flyer number?"—have only 22% and 9% recall rates, respectively.
- For English-speaking users in the US the easier question, "What is your father’s middle name?" had a success rate of 76% while the potentially safer question "What is your first phone number?" had only a 55% success rate.
Long story short, having a harder-to-crack security Q&A means nothing if you can't remember it.
Text and email code verification seems to be a much better way to protect and retrieve accounts. Maybe we can say good riddance to the security question. I sure hate having to think about my first dog whenever I forget my password.
Infographic via Google, Image via Thinkstock