User account secret questions not secure: Google
22 May 2015
For years, secret questions like, ''What's your mother's maiden name?'' or ''Who was your best friend in high school?'' have been used to ward off hackers from users' accounts, but Google says this was not really doing much to keep the information of users secure.
According to Google, the problems that came with secret questions were rooted in the shared answers that many people had. For instance for the question, ''What's your favorite food?'' Google found that hackers had a 19.7- per cent success rate at just guessing the answer.
According to Google, the biggest problem with secret questions was their ability to be memorable. With the entire point of secret questions being their ability to be memorable, this called into question their very existence. Google said there were plenty of other ways to lock down accounts; why the only barrier to hackers available to users, should be insecure.
Google pointed out that it was ''next to impossible to find secret questions that are both secure and memorable.'' However Google found that even for answers that were totally untrue, hackers had a 4.2-per cent success rate of guessing it right.
Google says, while easy-to-remember answers were not secure enough, but users could not remember secure ones.
Google and computer scientists at Stanford University studied the distribution of hundreds of a million secret answers and presented a paper at the World Wide Web Conference in Florence, Italy this week.
Globally, the most common security questions were far too easy to figure out.
"What's your favorite food?" did not work for English speakers, as a hacker would have a 20-per cent chance of guessing right by simply choosing "pizza."
Also people either forgot what they liked to eat or their tastes often changed.
The success rate for getting the question right when locked out of an account was 74 per cent after a month, 53 per cent after three months and 47 per cent after a year.
Names, especially of places where many people shared the same name, did not work better.
Given 10 guesses, an attacker had nearly 24 per cent chance of guessing the name of an Arabic-speaker's first teacher.
With the same 10 guesses, an attacker would have a 21-per cent chance of guessing a Spanish-speakers' father's middle name.