Password security questions

This article originally appeared on Tec Dr.

I have written in the past on Irish Tech News and my Tecdr blog about how important strong passwords are. Strong passwords will protect any online accounts that you have and will also lessen the chances of a website or database getting compromised. New research by Google’s security team has shown that strong passwords are being greatly weakened by weak password security questions.

What was your first pet’s name?
What is your favourite food?
What is your mother’s maiden name?

The security questions listed above are examples of lax security questions that Google’s security team found and they also noted the following.

With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question “What is your favourite food?” (it was ‘pizza’, by the way)

With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question “What’s your first teacher’s name?”

With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, “What is your father’s middle name?”

With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question “What is your city of birth?” and a 43% chance of guessing their favourite food.

When it comes to difficult questions and answers, the following was revealed.

40% of our English-speaking US users couldn’t recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.

Some of the potentially safest questions—”What is your library card number?” and “What is your frequent flyer number?”—have only 22% and 9% recall rates, respectively.

For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76%, while the potentially safer question “What is your first phone number?” had only a 55% success rate.

All this points to the following, which should be mandatory:

Two factor authentication
If you combine two components together you can provide the identification of a user. This is where a code is sent via SMS to your mobile phone or emailed to a secondary email address and you have to enter that code along with your password. It is highly unlikely that anyone illegally trying to access your account will have access to your secondary email address or your mobile phone.

Make your own questions
When, it comes to questions, there should be the option of making your own question as this will lessen the chances of it being answered correctly. Ideally the question should be one where the answer can’t be Googled or found on any of your social media accounts.

Family related questions
Questions dealing with a user’s family are a big no-no as the answers can easily be found. The same also goes with family pets and colleges, schools or universities that you may have attended. You don’t want to give anyone a greater chance of getting in to any of your accounts.

If the user has more say in any of their accounts security questions, there will be a lesser chance of any data breaches occurring. Sometimes user make mistakes and answer the most obvious questions such as your favourite movie or sports team, as they want easy to remember answers. Any online business, product and website must have an obligation to make sure users make a lot less mistakes.

If users are allowed to set their own questions then a data breach is less likely provided the answer is not easily found online. If 40% of English-speaking US users couldn’t recall their secret question answers to difficult questions then difficult questions should be off the menu. Next time you are accessing one of your online accounts, take a look at your security questions and where possible enable two factor authentication.