Secret Questions Can Be Easy to Break

Personal knowledge questions may defeat their own actual purpose of maintaining account security.

Personal knowledge questions (a/k/a “secret questions” or “challenge questions,” among other names) are supposed to help protect your online information and accounts. The theory is that the answers to these questions stay in your head (and nobody else’s) longer than passwords.

But a recent study, “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google,” reveals that these questions may in fact be weak safeguards. Taking a deep dive into how and why people choose the answers they choose—and how well they recall their own answers—two researchers at Google examined the first large real-world data set on the security and memorability of personal knowledge questions from their use at Google.

Attacks against secret questions are a real risk for a host of reasons. First, many users share common answers. In a single guess, an attacker stands a 19.7% chance of guessing English-speaking users’ answers for the question “Favorite food?” Also with a single guess, an attacker has a 3.8% chance at guessing Spanish-speaking users’ answers for “Father’s middle name?”

Questions that are more secure have worse recall than unsafe questions: their answers are simply harder to remember. For the English-speaking population, the question “Father’s middle name?” had a success rate of 76% overall; the potentially safer question—because it would be harder to guess correctly— “First phone number?” had a 55% recall. And the potentially safest questions of all have abysmal recall: “Library card number?” has a 22% recall and “Frequent flyer number?” has only a 9% recall.

The harder to remember, the worse the recall for a security question to get the password prompt from a website login. So choose “father’s middle name”—not “frequent flyer number.”

Among the findings:

  • The ability to remember an answer decreases significantly over time. The success rate for “Favorite food?” was 74% after a month, but dipped to 53% after three months. A year later, it was barely 47%.
  • Questions that are supposedly more secure because of the expectation that each user has a different answer can fail because people sometimes deliberately provide untruthful answers. They give untruthful answers to secret questions either to make the answer harder to guess (37% of the 1,500 respondents) or easier to remember (15%). Ironically, it does neither.
  • Nearly all questions are potentially vulnerable to trawling attacks, where an attacker makes a few guesses of common answers for a large number of accounts in hopes of compromising a significant number of random accounts.