Certain websites demand you answer a series of security questions before allowing you to recover your login or access a secure dashboard. At least in theory, no hacker will know the model of your first car, or the name of your first pet. According to a new study by Google, however, such security questions are rarely secure at all.
At first glance, this seems like such a straightforward assumption, it’s a wonder that Google bothered to do a survey about it at all. Given how much personal information ends up online, it’s fairly easy for an attacker to learn (or at least make an educated guess) about much of your history—which city you were born in, for instance, or the first place you worked.
But the problem isn’t just answers that are too easy to guess. In a bid to make their security questions a little harder for people to crack, a significant portion of online users create fake answers… and then promptly forget those answers.
“From millions of account recovery attempts we observed a significant fraction of users (e.g. 40\% of our English-speaking US users) were unable to recall their answers when needed,” read the Google paper’s abstract. “This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%).”
The paper’s ultimate claim? “We conclude that it appears next to impossible to find secret questions that are both secure and memorable.” Better rely on alternative methods… or at least write your fake birthplace down somewhere secure.