You remember those secret questions you are asked to complete when you create a new online account–the ones you answer for help with account recovery in case you forget your password? Turns out they don’t work very well for users and aren’t very safe from hackers either.
Sometimes, the questions are easy to hack
What city were you born in? What is your mother’s maiden name? Who is your favorite superhero? What is your favorite dog’s name? How hard is it really for a hacker to find answers to those questions? In many cases, not very. It might be as easy as glancing at your social media profile. Other times a question that seems difficult is really easy based on statistics. We tend to all prefer, for instance, the same top two or three superheroes.
Statistically speaking, who’s your hero?
Sometimes statistics can reduce the guessing process to two or three steps. The most popular superhero of all time is Batman. If he isn’t your favorite, statistically speaking Spider-Man or Superman will be. In research parlance, this question has a trivially small answer space. In any case, a hacker is likely to pick your favorite within a guess or two.
Sometimes the answer is statistically evident
If you were born in South Dakota, chances are good it was in Sioux Falls, by far the most populous city. If not, probably Rapid City, with a bit less than half the population of Sioux Falls. The population of the next two dozen towns don’t add up to what the two largest cities have, and most of them don’t have maternity hospitals. This is an example of a question that yields unexpectedly few logical answers.
Names and phone numbers are big business
There is an overwhelming amount of information on the Internet associated with names, phone numbers, and addresses. A quick search of any name will return dozens of sites that show every birth and married name, associated family names, and historical information like phone numbers and addresses. That’s stuff that is available for free. Anyone willing to pay a few bucks can get much more.
Your social media posts may tell all the rest
Take an honest look at your social media profile. How many of the common secret questions do you answer in your profile, pictures, and posts? There may be more than you think. Given the sometimes-surprising ease with which information is available, or guessed, your social media account may be a problem.
What is your favorite food? Research shows that less than half will remember their given answer in one year. The memorability of answers not only decreases with time but sometimes our preferences change. Our ability to recall facts and details degrades with time. Answers that require free recall (recall without clues), like your first phone number, might be relatively easy to recall when creating an account, but forgotten years later when the information is needed.
Many of us lie when answering, but that doesn’t work well either
Ironically, not answering secret questions truthfully had the opposite of the intended result. Most users provide false answers to (1) improve security, (2) make answers easier to remember, and (3) protect their own privacy. However, instead of making it harder for someone to guess, it made it harder for users to recall. The more secure the question the worse the recall. Overall, giving false answers to secret questions reduced security rather than enhancing security by preventing authorized users from regaining accounts that they were entitled to.
What is the solution?
The use of secret questions for account security is declining but it is still widely used. Secret questions often can be discovered by hackers and can often seem intrusive. So, using false answers is a valid strategy—as long as you document your answers for recall when you need them. In fact, there is no reason to use logical answers. Your answer to your birth city doesn’t have to actually be a city. You can create literally any answer for most questions. As with all things password-related, your best solution might be a password manager. Password managers can save more than usernames and passwords, because you can add notes to an account entry. The notes section is a great place to store a PIN and the questions and answers that you might need in case you need to access your account. Remember that with a little research a hacker might be able to guess your secret answers and, in time, you are likely to forget false answers. So treating secret questions like passwords and creating non-guessable answers is a good security strategy, as long as you safely record them for later recall.
Want to learn more about security questions?
Much of the information in this article is from a research paper published by Google in 2015. Google analyzed data from hundreds of millions of secret answers and hundreds of millions of account recovery claims. This is the first analysis of a large real-world data set to assess the effectiveness and memorability of secret questions. Google has discontinued the use of secret questions for account recovery.
Want more information?
Check out this YouTube video or visit our Safety page.
Oasis Connections has been teaching adults to be safe online since 2004.
AT&T supports the Oasis Institute, a non-profit educational organization that promotes healthy aging through lifelong learning, active lifestyles and volunteer engagement.