You know the ones: What was your first pet’s name? What is your favorite food? What is your mother’s maiden name? The answers are suppose to be unique enough to every individual that they prove you really are who you say that you are.
But do they?
In a blog post Google’s Elie Bursztein, Anti-Abuse Research Lead and Ilan Caron, Software Engineer, gave a glimpse of the results of their groundbreaking research. They looked into the question of whether such questions help.
They wrote that, “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.”
Here are some of the study’s findings:
With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question “What is your favorite food?” (it was ‘pizza’, by the way)
With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question “What’s your first teacher’s name?”
With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question,
“What is your father’s middle name?”
With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question “What is your city of birth?” and a 43% chance of guessing their favorite food.
40% of our English-speaking US users couldn’t recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.
Some of the potentially safest questions—”What is your library card number?” and “What is your frequent flyer number?”—have only 22% and 9% recall rates, respectively.
For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76% while the potentially safer question “What is your first phone number?” had only a 55% success rate.
So you are best served by remembering your passwords.
See the complete study here.