Google: Security Questions Aren’t Secure at All


Certain websites demand you answer a series of security questions before allowing you to recover your login or access a secure dashboard. At least in theory, no hacker will know the model of your first car, or the name of your first pet. According to a new study by Google, however, such security questions are rarely secure at all.

At first glance, this seems like such a straightforward assumption, it’s a wonder that Google bothered to do a survey about it at all. Given how much personal information ends up online, it’s fairly easy for an attacker to learn (or at least make an educated guess) about much of your history—which city you were born in, for instance, or the first place you worked.

But the problem isn’t just answers that are too easy to guess. In a bid to make their security questions a little harder for people to crack, a significant portion of online users create fake answers… and then promptly forget those answers.

“From millions of account recovery attempts we observed a significant fraction of users (e.g. 40\% of our English-speaking US users) were unable to recall their answers when needed,” read the Google paper’s abstract. “This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%).”

The paper’s ultimate claim? “We conclude that it appears next to impossible to find secret questions that are both secure and memorable.” Better rely on alternative methods… or at least write your fake birthplace down somewhere secure.

2 Responses to “Google: Security Questions Aren’t Secure at All”

  1. jelabarre59

    I don’t like the SMS code solution, because that means I’m handing them my cell phone number, and that’s *ONLY* for family usage. No one else (including, or perhaps *especially*, my places of employment) get that number. My “first pet” was 50 years ago, and I have never mentioned it to anyone anyway (and nearly anyone who knew it is dead anyway).


    Creating & maintaining an organized & EZ-to-read notebook of all your web-sites, passwords, security questions & answers (exactly precisely as entered) will avoid forgetting and give your family online access in case something happens to you.