Home / Info Sec / Security questions don’t necessarily live up to their name

Security questions don’t necessarily live up to their name

What’s your password?

This may yet be the most mind-boggling and direct security question if it ever became one.

In a recent study published by Google, it has shown that security questions are not fully effective as a standalone means of recovering account access and account information. This is due to the fact that the responses provided to these are either commonplace or very hard to remember.

In its research, Google has identified that hackers have 20% to as high as 40% chance of guessing responses to questions that are considered relatively easy or those that are tied to common (read: native or pop) cultural references. Its testing showed that for these questions, looking up and cross-referencing information from the profile of the account holder will yield a successful response in 10 guesses or less.

In another point, security questions tend to be very difficult and its responses difficult to remember. This has shown that people have a highly reduced chance to remember the answers to this. In its test cases, it has shown that this difference in recall ability between the easier question and the tougher ones can be from 13% to 21%.

The study also said that while it may seem better to add more questions, users may have a tougher time of recalling the answers to each subsequent question. This shows that adding more questions do not necessarily mean a more helpful solution.

Google proposes mixing security questions with other account recovery tools like SMS notification reset codes (which it uses for its services) and backup email addresses.

[Source: Google Online Security Blog] [Image credits: research.google.com]


About Arvin

Technology. Games. Development. Consulting.