We are all too familiar with the ridiculous security questions we are asked when signing up for something on the web. What was the name of the street you grew up on? What’s your grandparent’s anniversary? How old were you when you first had surgery? Not only are these questions personal, some present an adventure just to remember. What’s worse is, after going through all that and hoping you remember the answers, it turns out these security questions aren’t as secure as we thought.
Studies Show Security Not so Secure
A recent study conducted by Google showed that more than seventeen percent of the participants were actually able to guess the answers to stranger’s “secure” questions. It turns out that the most popular questions that were used tended to be the easiest ones to answer, as well. Researchers at Google found that the ridiculous security questions we are asked don’t provide much security after all.
The answer to the security question, “What is your favorite food?” for English-speakers turned out easy to guess on the first try by 20% of the people asked. The answer: pizza. Guessing the first name of a teacher for Arabic-speakers only took around 10 tries. This is without having any personal data about the person, which is usually easily available online.
2009 Microsoft Research Shows Same Results
Microsoft researchers Stuart Schechter, A.J. Bernheim Brush and Serge Egelman had subjects share in an adventure to learn about password security questions. Participants first answered questions and then another participant guessed what they were. Even the participants who did not want to share their information still had their passwords guessed 17% of the time. Only five attempts were needed to guess what the answers were. Within six months, participants even forgot what they had originally answered. The harder the ridiculous security questions were to guess, the harder they were to remember, as well.
Ridiculous Security Questions Not Very Helpful
What makes a good security question? One could argue that as long as it’s safe, stable, memorable, and simple and has many possible answers, it is the way to go. However, researchers are still trying to find a happy medium between hard to guess for hackers and easy to remember for users. People tend to share so much personal information online already, using sites like Facebook, Instagram and Twitter that it makes it even difficult to obtain a good security question. Some of the ridiculous security questions are sometimes things that people can’t relate to, such as, “What is your spouse’s name?”
When it comes to many questions, what would seem should be unique, ends up not being so unique. Spanish-speakers father’s middle name was guessed 21% of the time, and Korean-speakers had their city of birth guessed 4 in 10 times. Although the ridiculous security questions are supposed to be secure, the most popular questions receive the most popular answers. Researchers say that asking more difficult questions, such as, “What was your first phone number?” are harder for hackers, but they are also harder for the user to remember. So, the search goes on for the best way to provide secure log-in access for those who forget their passwords.
