After doing a bit of research, Google has decided to warn its users about how unsecure are “Security Questions” when needed to legitimate one’s login authentication, recover a password and other situations.
It’s been a long-standing practice among Internet providers to require that their users answer some questions about themselves, which are then used when the user requires a new password or the login process recorded too many faulty passwords.
Some other situations when these identification questions come in handy are suspicious logins (unfamiliar location, new device), or in the password recovery process.
However, Google took the time to analyze hundreds of millions of identification Q&A combinations, and as it turns out, they are a strikingly unreliable method of providing security. Among other purposes, Google’s target was to determine how difficult it would be for a hacker to simply guess the correct answers.
Research showed two extremes, with no middle ground: people would either provide fairly secure answers, but which are difficult to remember, or answers they would easily remember, but also very easy to hack.
Some of the provided answers are indeed too easy to guess; there is a 19.7 percent chance a hacker will get the answer right to the question “What is your favorite food?” You could guess it too, right now! You’re right! Pizza!
Another moderately easy question turned out to be “What is your mother’s maiden name?” but only in some regions where last names are shared by a large part of the population.
And assuming the attacker knows a bit about his victim, he can find information rather easily by just taking a peek at a social media account. So don’t rely on questions asking you about your city of birth, pet’s name, and others of the sort.
Moving on to more difficult questions, it turned out success rates were downright disappointing; when prompted to remember their library card number, only 22 percent of the respondents could comply. The rate was even lower for the question “What is your frequent flyer number?” – only 9 percent passed with flying colors.
Winning questions in the security category were “What city were you born in?” and “What is your father’s middle name?”, with 79 percent and 74 percent of correct answers, respectively.
The solution is not to add more Security Questions – which would just curb the already low chance of actually remembering the answers – but instead, Google recommends that you use more reliable forms of identity verification. Google offers the option of SMS and/or a backup e-mail address where it sends you a unique code.
But whatever you do, do not try to give false answers to the Security Questions! You’re thinking you will remember them, but more often than not, it backfires.
Image Source: Tictail