Writing
First published on
Authors
  • Name
    Jeff Leong

O'Reilly's Four Short Links pointed me to some 2015 Google real world research (PDF) on the use of secret questions and answers for account recovery at Google.

Highlights from Google's research

The researchers found secret questions (also called personal knowledge questions) were hard to remember and easy for attacker systems to guess.

Answers to common secret questions are easy to guess in aggregate using publicly available data such as census records or crowdsourcing services like Amazon Mechanical Turk. Potentially more secure questions are much harder to remember, for example 'Frequent flyer number?' had a 9% recall rate. Not only that, the researchers found that 4.2% of English-speaking users listed the same frequent flyer number!

A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them "harder to guess" although on aggregate this behavior had the opposite effect as people "harden" their answers in a predictable way.

The researchers also found that 63% of people they surveyed had not considered that their email account might be hacked by resetting their password using secret questions.

From millions of account recovery attempts we observed a significant fraction of users (e.g 40% of our English-speaking US users) were unable to recall their answers when needed. This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%).

We conclude that it appears next to impossible to find secret questions that are both secure and memorable.

I am frustrated by this 'security theatre' of secret questions and answers when we have research establishing it as insecure.

My approach

My personal approach to enforced security questions and answers is to generate a sequence of 3-6 random words for an answer like in the xkcd comic below instead of providing a real one word answer.

xkcd on Password Strength

While I prefer using more words, often the secret answer field will only allow 20 or 30 characters. I will generate a different answer even if the same question is asked over multiple websites. I use 1Password's built-in password generator to create and store this fake answer, but the Diceware method of rolling 5 dice and looking up the result in EFF's Diceware list to create the fake answer would also work.

My wish is that one day I won't have to tell a website my favourite food today is "argon weak pectin betwixt".