October 16, 2018
The Best Secret Question in the World Is…
Posted June 9, 2015
Stanford University Professor and 4 People from Google Conduct Study on Personal Knowledge Questions by Google Users
Secret questions or personal questions or challenge questions (take your pick) are the ones you get when, for instance, you reset your password. The question is supposed to be based on personal information that very few (hopefully trustworthy) people besides you would know, e.g., the name of your first parole officer. (Please don’t email. It was only a joke and, depending on its contents, your email could violate the terms of that parole.)
We’ve kept you in suspense long enough. So, before we get to the study, we’d like to tell you what “The Best Secret Question in the World Is…” We’d like to. We really would. The problem is we can’t remember it. Which happens to be one of the problems the study points out.
Conducted by Joseph Bonneau, a Stanford University professor and Google’s Elie Bursztein, Ilan Caron, Rob Jackson and Mike Williamson, the study, “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” demonstrates that “secret questions generally offer a security level that is far lower than user-chosen passwords.”
In her story on today.com, Julianne Pepitone discusses some highlights of what the study discovered. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.
There are two problems
People either can’t remember their security-question responses (37 percent of users said they entered “fake” answers in an attempt to make them difficult), or the answers to questions are so similar across users that they’re easy for hackers to guess.
Hacking is duck soup or easy as pie
[An] attacker has a 1 in 5 chance of guessing on the first try an English-speakers answer to “What is your favorite food?”
Within 10 guesses, attackers are able to guess 39 percent of Korean speakers’ birthplaces.
No fly zone
It’s possible to add questions that are more secure but users have a hard time recalling the answers — for example, only 9 percent of people in the Google study were able to remember their frequent flyer numbers.
Bonneau and the Googlers advocate…text-message and email-based account recovery, which have a higher chance of success. But the researchers conceded those methods aren’t foolproof — for example, if someone is traveling overseas they may not be able to receive a text message.