Security Questions Are a Bad Idea, and Here’s Why

Ever since we had passwords and accounts there have always been hackers trying to get their hands on them. More importantly, people have also been forgetting their passwords. To recover them, the account provider often implements a series of questions that you provide your “secret answers” to. This system has worked fine for many years, but it is riddled with ways to make hackers’ jobs easier. Although the answers are secret, ,,,kk per se, it appears that you’re actually sacrificing your security in the hopes that one day this sacrifice will help you recover your password.

securityquestions-forgotpassword

On May 21, 2015, Google published some research regarding the whole security questions scheme. Apparently, “what was your first pet’s name?” can be the single weakest link in your security, and it can bring your account to hackers on a silver platter. While you can make passwords that are impossible to guess, security questions for recovery are designed in such a way that you should be able to answer them easily. This works well when you use obscure answers that no one else can guess, but horribly if your pet (for example) has a very common name like “Max” or “Spot.” If you named your dog “Ulysses” or “Peruggia,” then you might stand a chance, albeit one that isn’t so promising.

You can also choose option B, which is to lie about the answer to your question (i.e. replying “Offram Klingmanstein III” when asked what your mother’s maiden name was). The problem with this is that you end up with yet another thing you must remember. Recalling answers you lied about is just as difficult as recalling the password you forgot in the first place. This is no solution but an added burden.

securityquestions-selection

In addition to the security problems that questions introduce, they just add to the confusion for those who cannot recall the city they were born in or the names of their first pet (it does happen). People who know you well can also easily access your accounts with this method. Hopefully, we’ve come to the conclusion by now that something needs to replace the “secret answer” method. Fortunately, there are many good contenders for replacements, one of the best being two-factor authentication.

The “secret answer” method was invented before people commonly had cell phones that could open SMS messages. At this point in history, virtually everyone with access to the Internet has a cell phone. Out of 7 billion people, there are roughly 6.8 billion phones. Google has adopted a new method for authentication that involves sending a one-time password through SMS for recovery. For those without phones, they could use a backup email either of a trusted person or one that they use themselves for recovery. This method makes it very difficult to “guess” one’s way into an account without the user’s phone.

By using two-factor authentication, you solve two things at the same time:

  • You minimize the risk of a person not remembering their “answer” since the unique SMS code is handed to the user upon request, and
  • You make a recovery method that is nearly unbreakable since the hacker would need to have access to a physical object that the user owns.

Can you think of something else to replace the secret answer method? Leave your thoughts in a comment below!

10 comments

  1. “Security questions” are indeed in secure. They are a confession of failure.
    Since I use LastPass, I use a different random answer for those questions.
    Two-factor authentication and a store of one-time recovery codes are the way to go.

    I get a big kick out of the banks that are very touchy about login attempts, but fundamentally have TERRIBLE security.

    It’s transition time. Two-factor is the way to go.

    • LastPass is a slight failure, though, in terms of information security. They store their key data on-site, which can still allow hackers in. It’s not ideal, but yes, it’s better than having your passwords in a TXT file on cloud storage.

    • They’re already doing it. It will take some time, though. Go ahead and give your bank a call to see if they have this available already. You might have missed it when it came out. Some banks do not automatically upgrade account holders’ authentication methods unless they specifically ask for it.

  2. Why the automatic assumption that EVERYBODY has a smartphone?! I am one of the 200 million people in the world who does not have a smartphone and I refuse to buy one just I can do 2FA. With all these security experts running around it would be nice if someone invented a secure way of signing on without the use of a phone. What happens if you lose your phone, or you break it, or its battery dies? How are going to do 2FA then???

    “For those without phones, they could use a backup email either of a trusted person or one that they use themselves for recovery.”
    That does not strike me as any more secure than the “secret answer” method. The only way two people can keep a secret successfully is if one of them is dead.

    • You do have a cellular phone, though, right? The password recovery method for Google sends you a text message. Only compulsory 2FA logins (activating 2FA for whenever you log in from another device) require Google Authenticator.

      • @Damien & Miguel:
        The one fly in the 2FA ointment is that one has to sell their soul (data) to Google to be able to use it. For those trying to avoid Google, that is a Faustian bargain.

        BTW – the problem with security questions is not that they are readily guessable but that they are vulnerable to dictionary searches. Even “Offram Klingmanstein III” can be easily cracked because it is made up of only a limited number/types of possible characters.

        • Indeed, but if you’re not using Google services, then you don’t need 2FA authentication from Google. What I hope to accomplish in this is to inspire other companies to follow suit and implement 2FA authentication for their particular applications. Take it as a sort of alarm bell for them. People really need to ask for better security. We can certainly do much better than we are doing now. With the number of breaches happening yearly, corporations are going to have to step up their game whether they like it or not.

  3. I think a good way to improve the “security questions” is by allowing the user to come up with both his/her questions and the corresponding answer. The was the user can as a question that he/she knows only he/she has the answer to.

Comments are closed.

Sponsored Stories