We all want to be safe online, but are security questions really the answer?
Where were you born? What’s your mother’s maiden name? Who was your first teacher? These are the kinds of questions websites often ask you before letting you access your accounts or recover your passwords. They are meant to provide an extra layer of security, but Google says that answering questions to log into accounts is unreliable and unsafe.
A team of researchers at the company recently analysed the login behaviour of hundreds of millions of people, finding that around 40 per cent couldn’t remember their answers (read its report at www.snipca.com/16619).
This may seem hard to believe. After all, how can you forget where you were born? The problem is that many people, when initially entering the correct answer to the question, try to be clever or witty, in part to make it harder for hackers to guess. So instead of typing ‘Nuneaton’ as the approved answer, for example, they would type ‘Nun eating’. When the time comes to provide it, they’ve forgotten their coded answer.
The fear that hackers will guess answers has lead to websites asking more obscure questions. But the answers to these are much harder to remember. Google found that only 76 per cent of people remembered the answer to ‘What’s your father’s middle name?’, info that a hacker could find with reasonable ease in this era of recklessly shared information on Facebook and Twitter. But only 55 per cent could recall the answer to ‘What was your first phone number?’, which would be much more difficult to find online. As questions become more personal, and therefore harder to guess, our recall becomes worse. Only 22 per cent of people recalled their library-card details; only nine per cent their frequentflyer number.
Answers that don’t change over time are the easiest to remember. Your place of birth remains set forever, but not so your favourite TV show, holiday destination or type of food - Google found that only 53 per cent of people could remember their favourite food after three months.
Even if you could remember your favourite food, there’s a danger that hackers would have beaten you to it. Google claims that people’s answers are so predictable that a hacker has a 19.7 per cent chance of guessing the favourite food of an English speaker (‘pizza’, apparently). Many people also give the same answer to different questions, just as they use the same password for multiple accounts. Google says that hackers carry out “mass guessing attacks” to force their way into people’s accounts. Doing this is a lot easier than you may think. In 2009, researchers at the Institute of Electrical and Electronics Engineers guessed about 10 per cent of answers by using common responses.
Google’s solution is to make sure its users never rely solely on answering questions because “it appears next to impossible to find secret questions that are both secure and memorable”. Instead, as it outlined in a recent blog post (www.snipca.com/16632), Google will only ask questions “as a last resort” when it can’t prove a person’s identity by email or text message. It also advises people to boost their Google security at https://myaccount.google.com by adding a “recovery” phone number and email address. Doing so will mean you won’t have to remember every last detail of your life.
THE FACTS
• 24 per cent of people couldn’t remember their father’s middle name when answering a security question
• Hackers carry out “mass guessing attacks” to work out answers and access accounts
• Google says it will use security questions only when it can’t identify a person by text or email