In news that surprises no one, Google and computer scientists at Stanford University recently conducted a study on how much security questions actually serve to protect an account, and concluded that they’re not very secure at all.
If we’re being honest, any modern 10-year old who stops to think for a moment can probably realize that silly questions such as “what was your first pet’s name?”, “what’s your mother’s middle name?” or “what’s your favorite food?” can’t possibly offer any real security. If anything, they sound like joke-questions.
For their study, Google looked at their very own archive of users who tried to recover their accounts at one point or another. They analyzed hundreds of millions of questions and answers provided by said users, and found that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism”.
He mechanism is flawed at its core as these questions are either too easy to remember (making the answers ridiculously easy to guess) or too hard to remember (making the answers very likely to be forgotten by the users themselves).
If you know the nationality of a user, you have an almost 20 percent chance (19.7 percent to be exact) of guessing the answer to their security question. For instance, an English-speaking user’s favorite food is typically pizza. That’s what a majority of 20 percent have set as their answer.
If you take into account human nature – we tend to keep evolving as we go through life, often changing preferences, values, believes and priorities as we discover new ones; we sometimes also give answers based on our moods – there’s a very good chance that a user won’t remember what they set as their own answer.
The success rate for answering a question the right way after being locked out of an account for about a month was 74 percent.
The success rate for answering a question the right way after being locked out of an account for roughly three months was 53 percent.
The success rate for answering a question the right way after being locked out of an account for more than a year was 47 percent.
If your father’s middle name is a common one or you in a country where pretty much everyone lives in just a few cities, you have a pretty good chance of getting hacked.
Given ten guesses, an attacker would have an almost 24 percent chance of guessing the name of an Arabic-speaker’s first teacher.
Given ten guesses, an attacker would have a 21 percent chance of guessing the middle name of a Spanish-speakers’ father.
Given ten guesses, an attacker would have a 39 percent chance of guessing where a South Korean user was born.
Users who try to simplify their lives by answering “what’s your phone number?” and “what’s your frequent flyer number?” with the same assortment of numbers, end up not simplify anything as 40 percent of English-speaking users living in the US couldn’t even remember what they had chosen as an answer.
Not only that, but in an attempt to make it harder for attacker to hack them, a third of them invent a number, rather than use their real phone number or real frequent flyer number. Can you guess the problem? It turns out that numbers made up by users aren’t nearly as random and hard to guess as real phone numbers.
Out of the ones that used real numbers, 55 percent could remember what their first phone number was, and only 9 percent could remember what their frequent flyer number was.
Image Source: customsystems.com