Your love for pizza may threaten your web security
Questions for account access online too easy, study finds
SAN FRANCISCO— Bad news for security questions — it turns out lots of people love pizza.
You know those annoying security questions you have to answer when you sign up for some online accounts so you can recover your password if you forget it?
A study by Google researchers found that they aren’t very secure at all.
The problem is that easy-to-remember answers aren’t secure enough, but users can’t remember secure ones, the study found.
Google and computer scientists at Stanford University looked at the distribution of hundreds of million of secret answers. Their paper was presented at the World Wide Web Conference in Florence, Italy, this week.
Globally, the most common security questions are far too easy to figure out.
“What’s your favourite food?” doesn’t work for English speakers. A hacker would have a 20-per-cent chance of guessing right by simply choosing “pizza.”
Not only that, but people either forget what they like to eat or their tastes change pretty quickly. The success rate for getting the question right when locked out of an account was 74 per cent after a month, 53 per cent after three months and 47 per cent after a year.
Names, especially in places where many people share the same name, don’t work much better. Given 10 guesses, an attacker would have a nearly 24-per-cent chance of guessing the name of an Arabic-speaker’s first teacher.
Those same 10 guesses would give an attacker a 21-per-cent chance of guessing a Spanish-speakers’ father’s middle name.
Surprisingly, questions such as “What’s your phone number?” or “What’s your frequent flyer number?” which would seem more secure, turned out to be less safe. There were two reasons. First, more than a third of people turned out to give a false answer when asked to set up a security question.
They told surveyors they wanted to make them “harder to guess.”
Unfortunately, the numbers they made up tended to be less random than real phone numbers. The researchers found that 4.2 per cent of English-speakers had the “same” frequent flyer number and 0.4 per cent had the same phone numbers — making them easier for would-be attackers to crack.
The other problem was that people forget numbers. Only 55 per cent of people could remember their first phone number and just 9 per cent remembered their frequent flyer number.
In a blog post Thursday, Google said it has switched to using a text message or backup email address as its main account recovery mechanism, with security questions “as a last resort.”