Skip to main content
  1. Home
  2. Computing
  3. News

Google warns that security questions aren’t that secure

By

Enterprise network security
Image used with permission by copyright holder
Though we mainly see them online these days, security questions predate the Internet by quite a bit. Banks, for example, have commonly used questions like “what is your mother’s maiden name?” since the beginning of the 20th century. There’s a problem though: Google says that despite their widespread use, security questions aren’t actually all that secure.

The main problem with security questions is that they’re either easy to remember or hard to guess, but very rarely both, according to a research paper Google recently presented at WWW 2015.

Recommended Videos

Google has a unique advantage when it comes to studying this subject, as it has access to a huge amount of data. A team of researchers analyzed “hundreds of millions” of questions and answers that had been used for Google account recovery claims, according to a post on the Google Online Security Blog.

The researchers found that many of the most common questions could be answered correctly within ten guesses, with a success rate between 21 and 39 percent, depending on the question. With a single guess, an attacker had a nearly 20 percent chance of guessing the answer to the question “what is your favorite food?” The usual answer? Pizza.

You may have seen advice that answering security questions with “wrong” answers is a better tactic, but Google’s researchers found that this often backfired, making the answers not harder but easier to guess, as many third parties choose the same false answers.

The problem is compounded by the fact that answers that are more difficult to guess are also more difficult to remember. Research shows that using two different security questions reduced an attacker’s chance to correctly guess the answer within ten attempts to less than one percent, but that users only remembered the answers to both questions 59 percent of the time.

So what are we supposed to do? Google proposes avoiding security questions entirely, using backup codes sent via text message or other forms of two-factor authentication instead. It isn’t as easy, but it is more secure.

For more information, see the full paper, enticingly entitled Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google, which is available for free on Google Research.

Editors' Recommendations

Topics
Kris Wouk
Kris Wouk
Former Digital Trends Contributor
Kris Wouk is a tech writer, gadget reviewer, blogger, and whatever it's called when someone makes videos for the web. In his…
Google just made this vital Gmail security tool completely free
The top corner of Gmail on a laptop screen.

Hackers are constantly trying to break into large websites to steal user databases, and it’s not entirely unlikely that your own login details have been leaked at some point in the past. In cases like that, upgrading your password is vital, but how can you do that if you don’t even know your data has been hacked?

Well, Google thinks it has the answer because it has just announced that it will roll out dark web monitoring reports to every Gmail user in the U.S. This handy feature was previously limited to paid Google One subscribers, but the company revealed at its Google I/O event that it will now be available to everyone, free of charge.

Read more
You don’t have to use Bing – Google Search has AI now, too
Google Search Experience gives an overview with links and images.

Google Search Experience gives an overview with links and images. Google

Google is rolling out big changes to its top product, Google Search, adding generative AI capabilities. That means you don't have to switch to Bing to get a more helpful AI-enhanced search.

Read more
No, The Last of Us PC requirements aren’t changing
Ellie looking concerned.

Sony Interactive Entertainment (SIE) released an updated PC requirement chart for The Last of Us Part One on Monday, clarifying the system requirements players will need if they want to play the game when it launches on March 28. Some reports claim that the PC requirements have been downgraded, but they haven't; if anything, the port calls for a slightly more powerful system.

The original PC requirements (below) called for a Radeon RX 5800 XT at the Recommended tier, which is to run the game at 1080p with 60 frames per second (fps). The updated requirements call for an RX 5700 XT instead. That sounds like a downgrade, but AMD never released an RX 5800 XT -- it was a typo. You don't need to look further than the next GPU recommendation to see that, which is an AMD "Radeom" RX 6600 XT. The updated requirements have fixed that typo, as well.

Read more