Google has confirmed what everyone suspected after Mitt Romney’s email was hacked by correctly guessing his security question, “What’s your favorite pet?”: Security questions aren’t really secure at all.
“Despite the prevalence of security questions, their safety and effectiveness have rarely been studied in depth,” several Google researchers said in a Thursday blog post.
{mosads}So they did just that, analyzing hundreds of millions of security questions and their answers from Google accounts.
“Secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism,” they said. “That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember — but rarely both.”
When users choose an easy-to-remember question, it’s also easy for hackers to guess the answer.
For instance, a cyberattacker’s chance of correctly guessing the right answer to the question, “What is your favorite food?” is about one in five.
Conversely, 40 percent of Google’s English-speaking users can’t remember the answer to their security question.
And the questions that have the most secure answers (ie. “What is your first phone number?”) are forgotten at an even higher clip, Google said.
“It appears next to impossible to find secret questions that are both secure and memorable,” said the abstract to the study Google released Thursday.
The solution? Combine a question with some other form of authentication, such as a code sent as a text message to the user.
“Secret questions continue to have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.”