There’s a big problem with the security questions often used to help people log into Web sites, or remember or access lost passwords — questions with answers that are easy to remember are also easy for hackers to guess. That’s the key finding of a study that Google recently presented at the International World Wide Web Conference in Florence, Italy.
Google said it analyzed hundreds of millions of secret questions and answers that users had employed to recover access to their accounts. It then calculated how easily hackers could guess the answers to those questions.
In many cases, the answers were relatively easy to hit upon because of unique cultural factors, according to the study. For English speakers, for example, hackers had a 19.7 percent chance of guessing — in just one guess — the right answer to the question, “What is your favorite food?” (Answer: pizza.)
‘Neither Secure nor Reliable’
Google undertook the study because, “despite the prevalence of security questions, their safety and effectiveness have rarely been studied in depth,” noted Anti-Abuse Research Lead Elie Bursztein and Software Engineer Ilan Caron. The conclusion reached after looking at all those millions of questions and answers? “(S)ecret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism,” Bursztein and Caron said Thursday in a post on Google’s Online Security Blog.
One big problem is that certain names, cities and foods are likely to be common choices for certain language speakers, the noted. For Spanish-speaking users, for instance, hackers had a 21 percent chance — within 10 tries — of guessing the answer to, “What is your father’s middle name?” For Arabic speakers, a hacker making 10 guesses had a 24 percent chance of landing on the correct answer to “What’s your first teacher’s name?”
Korean speakers were especially vulnerable to having hackers guess the answers to their security questions, Google found. Given 10 tries, for example, a hacker had a 39 percent chance of figuring out, “What is your city of birth?” and a 43 percent chance of finding the right answer to, “What is your favorite food?”
Choosing fake answers to security questions is no way to “fool” hackers, Bursztein and Caron added. “We dug into this further and found that 37 percent of people intentionally provide false answers to their questions thinking this will make them harder to guess,” they said. “However, this ends up backfiring because people choose the same [false] answers, and actually increase the likelihood that an attacker can break in.”
‘Least Expensive . . . Until Breached’
Bursztein and Caron noted that users can improve security by using more than one question, reducing the odds of a hacker guessing multiple correct answers. Unfortunately, though, that strategy also makes it harder for users to remember the right answers, too.
“For years, [Google has] only used security questions for account recovery as a last resort when SMS text or back-up e-mail addresses don’t work and we will never use these as stand-alone proof of account ownership,” the researchers added. “In parallel, site owners should use other methods of authentication, such as back-up codes sent via SMS text or secondary e-mail addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.”
We asked tech writer Dennis O’Reilly, who authored the online “I Hate Passwords” guide, why better online security measures haven’t taken hold after so many recent high-profile breaches. His one-word response? “Money.”
“Passwords and secret questions are the least-expensive authentication methods — at least until they’re breached,” O’Reilly said.
In his guide, O’Reilly offered several strategies for choosing better passwords. For example, he said, “Take a children’s rhyme, the lyrics of a song you know by heart, or the lines of a poem, and use the third letter of each word (the first or second letter for short words). For example, ‘Mary had a little lamb. Its fleece was white as snow’ becomes this password: rdatmsesiso. After you type it a few times, entering it becomes almost automatic.”
O’Reilly added, “A long string of real text is safer than a short string of nonsensical characters (the upper and lower case, numbers, and symbols some sites and services require). So something like ‘mybestfriendsnameisbobhelivesintucson’ is more secure than ‘7Y$u4r’.” For security questions consider providing the correct answer but entering it backwards, he said.
Another tactic recommended by security experts, involves three-step authentication “that uses 1) something you know, such as your password, 2) something you have, such as a USB token you plug into your PC or your cellphone for two-factor authentication, and 3) something you are, such as your fingerprint or a facial scan,” he said.
We also reached out to Paul Trulove, vice president of product management at the cybersecurity firm SailPoint, to get his thoughts on the study. He told us he wasn’t at all surprised by Google’s findings. “(Y)ou’d be surprised to hear just how many organizations simply aren’t doing it right. The real surprise comes from the fact that the majority of the data breaches over the past few years could have been avoided or minimized by simply enforcing stronger password policies,” he said.
However, Trulove said there’s only so much IT can do to protect access to applications and data. “But with the right tools in place to put some onus back on the employees, they can help alleviate the burden,” he said. “But, it has to involve more than just instituting security questions. Securing access ultimately falls to the employees and management to ensure that protecting sensitive information is of the utmost importance.”
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.