While prior reports made evident our use of terrible passwords such as “123456,” a recently published study conducted by Google researchers has found our account security questions and answers to be less than adequate.
The study found that in practice, secret questions have “poor security and memorability.” Subsequently, the study’s authors deemed the security measure an unreliable means through which users can successfully recover their accounts.
We studied the distribution of hundreds of millions of secret answers and millions of account recovery claims, demonstrating that in practice secret questions have poor security and memorability. This poor level of security, their unreliability for successful account recovery, and the existence of alternative recovery options with significantly higher success rate motivated Google’s decision to favor alternative options (SMS, Email) as a recovery mechanism.
As a result of the poor level of security offered by secret questions and the existence of alternative recovery options such as SMS (text messaging) and e-mail, Google decided to lean in favor of the alternatives.
Researchers behind the study analyzed the distribution of hundreds of millions of secret answers as well as millions of account recovery claims.
The researchers found that those who provided lies as answers to their secret questions in an attempt to make it easier to remember their answers were actually doing themselves a disservice, as some of them eventually forgot their wrong answers. The following is an example of such lies which cause people to forget their answers:
- Secret Question: How old are you?
- Secret Answer: Banana
While all of the aforementioned security qualms with account recovery questions and their user defined answers are reason for concern, Google indicated in its study that the real concern is hackers trying to hijack accounts through “mass guessing attacks” which target accounts with weak passwords. Essentially, playing a numbers game in which the attackers, with no specific targets in mind, simply target a large number of accounts using a short password list containing commonly used passwords—or in this case: commonly answers to secret questions—instead of targeting a smaller number of accounts with a more comprehensive password list or brute-force cracking technique.
In other Google related coverage here at Immortal News, the tech giant acquired Timeful in a move to enhance its own scheduling software, borrowed Ruth Porat from Wall Street and cracked a quantum computing paradox when its scientists stabilized qubits earlier this year.
