ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Security & Privacy

Secret questions not as good as you'd think

Paul Brislen, Editor. 03 August 2020, 9:49 am

We've all seen them and probably filled them out, sometimes with real answers and sometimes with fakes designed to beat the system, but new research shows those "prove your identity" questions don't work and may actually lessen your security.

From your mother's maiden name to your first car number plate to favourite food or first pet's name, these questions are supposed to add layers of complexity to any attempt to access your account without your authorisation, but in practice they make it somewhat easier for attackers, say the authors of "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google".

Drawing on a real-world data set from the authors' time working at Google the results are clear - the secret question process offers significantly less than user-chosen passwords and that users lying about the answers contributes to this lack of security.

"A user survey we conducted revealed that a significant fraction of users (37%) who admitted to  providing fake answers did so in an attempt to make them 'harder to guess' although on aggregate this behaviour had the opposite effect as people 'harden' their answers in a predictable way," says the report.

The data suggests that attackers would have a 19.7% success rate at guessing an English speaking user's answer for "what is your favourite food", and with a single guess would have a 3.8% chance of guessing a Spanish user's answer for "father's middle name".

Questions about city of birth or mother's maiden name are easy to find online with the plethora of users taking to social media, and obvious questions, such as favourite food, tend to have easy to guess answers ("pizza").

We're equally as poor at remembering the answer as we are at making them up.

The full report is available here.


Comments

You must be logged in in order to post comments. Log In


Web Development by The Logic Studio