Secret questions are not as safe as you think

SecurityUsing secret questions to gain access to accounts when you’ve forgotten the password is not as safe as you might think. At least that is what Google’s new research says.

A whitepaper (PDF) called “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” while processing data that were collected form millions of users, concluded that the particular tactic (of secret questions) is not only non efficient but it also puts in danger the accounts’ security.

You might be wondering where did all that come from, right? And you wouldn’t be wrong, the whole idea of secret questions as an extra measure you can use in case you forget your password makes sense. All you have to do is type in the secret answer to the question which only you know (otherwise it wouldn’t be a secret would it now?). So where is the problem with all that?

The problem seems to be – always according to Google’s research – that most people can’t remember the answers to the secret questions. And that is because most of the times they put false answers, sometimes thinking that they’ll help make the system more secure and other times because they just don’t want to share information about their personal lives (the secret questions are about the user’s personal life, for instance first pet’s name, best friend’s name etc). The result to that is people forgetting the secret answers soon after they type them in.

Another report of the research mentions: “What we believe to be our favourite food today may not be our favourite food when we answered the question as well. In fact, if you are asked one month later, there is a 74% chance that you won’t remember your answer”.

So what is the best question whose answer you will be able to remember? As Google’s researchers indicate, the best kind of questions are the ones whose answers remain the same or have nothing to do with personal preferences. Such questions could be the town where you were born or your father’s name. Not  that your mother’s name would change in the future, but no question asks for both names so far, so you’re going to have to make a choice anyway.

Furthermore, the research presents some very interested statistics, on how easily most of the questions can be guessed. For instance with 10 efforts given, one can guess correctly 39% of a Korean town.

To sum it up, we people are foolish enough to believe that e are actually smart. So avoid giving answers that may change in the future or false answers. Second, the best solutions seems to be a simple text (SMS) or an email to retrieve your passwords. Secret questions are best used when combined with other extra security measures. So next time be more careful with your answers. You never know when you will forget them or who feels lucky enough to guess!

Last Updated on