Google researchers examined how hard it was to guess the answers to "personal knowledge" security questions that are often used to regain access to your email account if you forget your password. What they found was not reassuring.
"Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords," said a peer-reviewed paper presented last week at the International Conference on the World Wide Web in Florence.
"Surprisingly, we found that a significant cause of this insecurity is that users often don't answer truthfully."
Lead author Joseph Bonneau told CBC News that the most common fake answers are more predictable than the most common real answers for things like surnames.
And answers such as "Don't have one" or "I don't know" were particularly ineffective.
Because of the problem with fake answers, the study found that a clever attacker could guess 4.2 per cent of English-speaking users' answers to the question "Frequent flyer number?" with a single guess.
No good questions
Bonneau, who has now left Google and is working as a post-doctoral researcher at Stanford University, said researchers have always had a sense that security questions weren't very secure, but his team wanted to "put out in black and white exactly how insecure and unreliable" they were. To do that they looked at how easy it was to guess the answers to security questions provided by Google users over the past five years.
The researchers hoped to identify the best possible security questions — those that generated answers both secure (having a huge set of possible, hard-to-guess answers) and memorable.
"Nothing we looked at was good on both counts," he said. "If there is some question out there that will manage to do both things at once, Google wasn't able to find it."
While the study only looked at Google accounts, Bonneau thinks the findings likely apply to other accounts that use security questions, as the pool of questions used tends to be similar.
Tips for users
Based on his results, Bonneau makes a couple of recommendations:- Avoid generic fake answers like "I don't know" or "Don't have one."
- Try to have an account backup mechanism that is more secure than security questions — for example, registering your phone number and getting Google to send an account recovery code to the phone.
As for web services, he recommends that if these types of security questions are used, they should be used along with other ways to verify a user's identity.
"It's not secure if this is the only thing that needs to be answered to regain control of an account."