You're probably used to setting up security questions whenever you register an account on a new website. They're supposed to help confirm your identity in the event that you forget your password, but a new study from Google says that they have a number of major shortcomings.
The main problem is that they're either easy to remember or "somewhat secure," but usually not both. That's according to a blog post written by Elie Bursztein, Google's anti-abuse research lead, and Ilan Caron, a software engineer. If security questions are easy to remember, they're probably easy for an impostor to guess; but if they're too complicated, the person who created them won't be able to remember them.
According to Google's research, which was based on "hundreds of millions of secret answers and millions of account recovery claims," 40 percent of English-speaking people in the United States couldn't recall the answers to their secret questions when they needed them. The numbers were actually much worse for the "safest" questions, the ones that would be hardest for an impostor to guess. "What is your frequent flier number?" is a solid, tough recovery question, but only 9 percent of people could remember the answer.
Meanwhile, simple questions were easy for attackers to bypass. For example, hackers have a 19.7 percent chance of cracking "What is your favorite food?" for English-speaking users. Google helpfully notes that the answer is often "pizza."
Worse, the full study notes that a lot of services use questions with "trivially small" pools of potential answers. (For example, "What is your favorite superhero?") If individuals are able to make up their own security question, the majority tend to create something that's very easy to guess, also.
And as you might anticipate, a pretty high number of password security questions have answers that are publicly available on social media -- about 16 percent in all, according to Google.
As part of the study, Google ran surveys to gauge individuals' perceptions of security. Almost 63 percent said they "never considered the possibility that their security question could be used against them," the study states, which might help explain the weak-sauce answers.
So what's to be done? Google suggests two-factor authentication as a safer way to confirm a user's identity. If you have the option to get access codes sent to your phone or backup email when registering for a site, you should certainly do so.
A good security question will have the following characteristics:
1. Easy to remember, even 5 or 10 yrs from now
2. At least thousands of possible answers
3. Not a question you would answer on facebook, myspace, in a "Fun Questions to Ask" survey, or in a article or interview
4. Simple one or two word answer
5. Never changes
Those seem like good solutions to the problems Google outlined.
For more information on security questions, check out this infographic: