August 6, 2015

Protecting Online Accounts

‘Secret’ questions can be easy to break

Reported by Jill Cornfield

Personal knowledge questions—aka secret questions or challenge questions—are supposed to help protect your online information and accounts. The theory is that the answers, while unknown to most others, stay in your head longer than passwords.

But a recent study, “Secrets, Lies, and Account Recovery: Lessons From the Use of Personal Knowledge Questions at Google,” reveals that these prompts may be weak safeguards. Taking a deep dive into how and why people choose the answers they do—and how well they recall their own responses—two researchers at Google examined the security and memorability of personal knowledge questions based on usage at the company.

Attacks against secret questions are a real risk for a host of reasons. First, many users share common answers. In a single guess, an attacker stands a 19.7% chance of guessing English-speaking users’ answers for the question “Favorite food?” Also with a single guess, an attacker has a 3.8% chance at guessing Spanish-speaking users’ answers for “Father’s middle name?”

Questions that are more secure have worse recall than unsafe questions: Their answers are simply harder to remember. For the English-speaking population, the question “Father’s middle name?” had a success rate of 76% overall; the potentially safer question—because it would be harder to guess correctly—“First phone number?” had a 55% recall. And the potentially safest questions of all have abysmal recall: “Library card number?” has a 22% recall and “Frequent flyer number?” has only a 9% recall.

The worse the recall for the question itself, the less likely users are to remember their answer to the prompt during a website login. So, choose “father’s middle name”—not “frequent flyer number.”

Also among the findings:

The ability to remember an answer decreases significantly over time. The success rate for “Favorite food?” was 74% after a month but dipped to 53% after three months. A year later, it was barely 47%.

Questions that are supposedly more secure because of the expectation that each user has a different answer can fail because people sometimes deliberately provide untruthful responses. They do this either to make the answer harder to guess (37% of the 1,500 respondents) or easier to remember (15%). Ironically, giving false information does neither.

Nearly all questions are potentially vulnerable to trawling attacks, where a hacker makes a few guesses of common answers for a large number of accounts in hopes of compromising them.