Just in:
Sharjah Elevates Real‑Estate Platform with New Digital Portal // Behomes Launches Behomes Hub – Cashback & Networking App for Real Estate Professionals // Ten Tips for a Healthy Summer Garden // UAE Hits Milestone with EU Delisting From High‑Risk Financial Watchlist // IIT Delhi and TeamLease EdTech Kick‑start AI for Healthcare Executive Programme // Nvidia is the dream stock of our lifetime! // Anhui Unveils Teaser for 2025 World Manufacturing Convention, Extending a Global Invitation to Innovate Together // BoE charts new wholesale terrain for stablecoins and tokenised assets // Qingzhen’s Zhanjie Town Leverages Ecological Resources to Drive Industrial Upgrading and Integrate Culture and Tourism for Rural Revitalization // Results of the ixCrypto Index Series Quarterly Review (2025 Q2) & IX Digital Asset Industry Index Series Half Yearly Review (2025 1H) // Tokyo Real Estate Set for $75 Million Blockchain Shake‑Up // Abu Dhabi’s Masdar and Iberdrola Back £5 Billion UK Offshore Wind Venture // Stonepeak Secures Strategic Co-Control of IFCO Stake // Celebratory 911 Club Coupe Marks Half-Century Porsche Partnership // OPEC+ Eyes Pause in Production Rises After September Surge // BRICS Pledge Cooperation, Not Confrontation With U.S. // DNA‑Crafted Nanomachines Self‑Assemble in Water // TÜV SÜD Appoints Interim Leadership Following CEO Transition // Nigeria’s Coastal Highway Passes $747 m Funding Milestone // Musk Alleges Grok Was Misled and Predicts Tech Breakthroughs //

Google Study: Most Security Questions Easy To Hack

There’s a big problem with the security questions often used to help people log into Web sites, or remember or access lost passwords — questions with answers that are easy to remember are also easy for hackers to guess. That’s the key finding of a study that Google recently presented at the International World Wide Web Conference in Florence, Italy.

Google said it analyzed hundreds of millions of secret questions and answers that users had employed to recover access to their accounts. It then calculated how easily hackers could guess the answers to those questions.

In many cases, the answers were relatively easy to hit upon because of unique cultural factors, according to the study. For English speakers, for example, hackers had a 19.7 percent chance of guessing — in just one guess — the right answer to the question, “What is your favorite food?” (Answer: pizza.)

ADVERTISEMENT

‘Neither Secure nor Reliable’

Google undertook the study because, “despite the prevalence of security questions, their safety and effectiveness have rarely been studied in depth,” noted Anti-Abuse Research Lead Elie Bursztein and Software Engineer Ilan Caron. The conclusion reached after looking at all those millions of questions and answers? “(S)ecret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism,” Bursztein and Caron said Thursday in a post on Google’s Online Security Blog.

One big problem is that certain names, cities and foods are likely to be common choices for certain language speakers, the noted. For Spanish-speaking users, for instance, hackers had a 21 percent chance — within 10 tries — of guessing the answer to, “What is your father’s middle name?” For Arabic speakers, a hacker making 10 guesses had a 24 percent chance of landing on the correct answer to “What’s your first teacher’s name?”

Korean speakers were especially vulnerable to having hackers guess the answers to their security questions, Google found. Given 10 tries, for example, a hacker had a 39 percent chance of figuring out, “What is your city of birth?” and a 43 percent chance of finding the right answer to, “What is your favorite food?”

Choosing fake answers to security questions is no way to “fool” hackers, Bursztein and Caron added. “We dug into this further and found that 37 percent of people intentionally provide false answers to their questions thinking this will make them harder to guess,” they said. “However, this ends up backfiring because people choose the same [false] answers, and actually increase the likelihood that an attacker can break in.”

ADVERTISEMENT

‘Least Expensive . . . Until Breached’

Bursztein and Caron noted that users can improve security by using more than one question, reducing the odds of a hacker guessing multiple correct answers. Unfortunately, though, that strategy also makes it harder for users to remember the right answers, too.

“For years, [Google has] only used security questions for account recovery as a last resort when SMS text or back-up e-mail addresses don’t work and we will never use these as stand-alone proof of account ownership,” the researchers added. “In parallel, site owners should use other methods of authentication, such as back-up codes sent via SMS text or secondary e-mail addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.”

We asked tech writer Dennis O’Reilly, who authored the online “I Hate Passwords” guide, why better online security measures haven’t taken hold after so many recent high-profile breaches. His one-word response? “Money.”

“Passwords and secret questions are the least-expensive authentication methods — at least until they’re breached,” O’Reilly said.

In his guide, O’Reilly offered several strategies for choosing better passwords. For example, he said, “Take a children’s rhyme, the lyrics of a song you know by heart, or the lines of a poem, and use the third letter of each word (the first or second letter for short words). For example, ‘Mary had a little lamb. Its fleece was white as snow’ becomes this password: rdatmsesiso. After you type it a few times, entering it becomes almost automatic.”

O’Reilly added, “A long string of real text is safer than a short string of nonsensical characters (the upper and lower case, numbers, and symbols some sites and services require). So something like ‘mybestfriendsnameisbobhelivesintucson’ is more secure than ‘7Y$u4r’.” For security questions consider providing the correct answer but entering it backwards, he said.

Another tactic recommended by security experts, involves three-step authentication “that uses 1) something you know, such as your password, 2) something you have, such as a USB token you plug into your PC or your cellphone for two-factor authentication, and 3) something you are, such as your fingerprint or a facial scan,” he said.

We also reached out to Paul Trulove, vice president of product management at the cybersecurity firm SailPoint, to get his thoughts on the study. He told us he wasn’t at all surprised by Google’s findings. “(Y)ou’d be surprised to hear just how many organizations simply aren’t doing it right. The real surprise comes from the fact that the majority of the data breaches over the past few years could have been avoided or minimized by simply enforcing stronger password policies,” he said.

However, Trulove said there’s only so much IT can do to protect access to applications and data. “But with the right tools in place to put some onus back on the employees, they can help alleviate the burden,” he said. “But, it has to involve more than just instituting security questions. Securing access ultimately falls to the employees and management to ensure that protecting sensitive information is of the utmost importance.”

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.


Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Just in:
Abu Dhabi’s Masdar and Iberdrola Back £5 Billion UK Offshore Wind Venture // Record Global Interest Drives CDB’s Dual‑Currency Bond Triumph // Air Arabia Reinitiates Sharjah–Damascus Flights // ADNOC Gas Signs $400 Million LNG Deal with SEFE // Celebratory 911 Club Coupe Marks Half-Century Porsche Partnership // Behomes Launches Behomes Hub – Cashback & Networking App for Real Estate Professionals // ICONSIAM Showcases Thai Creativity to the World with “Lost in DOMLAND” — Reinforcing Its Role as a Must-Visit Global Art Destination // TÜV SÜD Appoints Interim Leadership Following CEO Transition // Dong Yuhui’s Fujian Journey: The Sea’s Lesson – 30% Destiny, 70% Determination // IIT Delhi and TeamLease EdTech Kick‑start AI for Healthcare Executive Programme // BoE charts new wholesale terrain for stablecoins and tokenised assets // DNA‑Crafted Nanomachines Self‑Assemble in Water // CGTN: Beauty in diversity: How wisdom at Nishan Forum inspires global modernization // Coffee Chains Join Bitcoin Mania with Bold Treasury Moves // Nvidia is the dream stock of our lifetime! // Qingzhen’s Zhanjie Town Leverages Ecological Resources to Drive Industrial Upgrading and Integrate Culture and Tourism for Rural Revitalization // UAE Hits Milestone with EU Delisting From High‑Risk Financial Watchlist // Musk Alleges Grok Was Misled and Predicts Tech Breakthroughs // Can India Emerge As The Trusted Leader Of Global South Like Earlier Years? // Anhui Unveils Teaser for 2025 World Manufacturing Convention, Extending a Global Invitation to Innovate Together //