Google shows how pathetic those security questions really are

Technically Incorrect: Your mother's maiden name? The name of your first dog? Easy meat for a hacker. Got a clever answer instead? Just try remembering it.

Chris Matyszczyk
3 min read

Technically Incorrect offers a slightly twisted take on the tech that's taken over our lives.

Can you even remember the answers? CACR Security Matters/YouTube screenshot by Chris Matyszczyk/CNET

Have you ever been maddened into tossing a vase across a room because you can't remember what your first car was?

Have you ever begun pinching at an eyebrow until it bled because the name of the hospital in which you were born escaped you?

Google is here to tell you it's not worth getting upset.

In a fascinating and ultimately depressing blog post Thursday, Google said that it took a look at "hundreds of millions" of questions and answers that were used for account recovery claims. "We then worked to measure the likelihood that hackers could guess the answers."

What did they discover? Your intimate answers to security questions really aren't all that secure.

"Secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism," according to the post by Elie Bursztein, anti-abuse research lead, and Ilan Caron, software engineer. (They presented their findings at the International World Wide Web conference this week in Florence, Italy.)

For example, when the security question is "What is your favorite food?" there's a 19.7 percent chance that a hacker might guess an English speaker would say "pizza." With just their first guess.

If you happen to be a Spanish speaker and the security question is "What is your father's middle name?" a hacker would need 10 guesses to have a 21 percent chance of getting it right and thereby getting into your bank account.

One revelation might be especially maddening to those who believe they're clever. Some people choose deliberately false answers, thinking they'll put hackers off the trail. However, so many choose the same false answers that hackers apparently find their way in more easily.

Another deeply frustrating issue is the answers that are more difficult to randomly guess. The problem is that the person who gave the answers in the first place forgets them entirely. Part of the problem, in my experience, is forgetting the precise formulation of the answer. If you don't get it just so, the machine rejects your answer.

However, Google discovered that, for example, the question: "What is your first phone number?" only got a 55 percent success score among those who should actually know the answer.

The final parameter Google looked at was the notion of not one question, but two together. Surely this would make things safer. Well, perhaps.

It's true that there's only a 1 percent chance that a hacker could get both (easy) security questions right after 10 guesses. The slight kink is that there's only a 59 percent chance that the person who gave the original answers would get them right.

Google recommends that you keep your recovery information current. But site owners too should take steps, such as sending a backup code via SMS text.

In the end, the whole process is maddening. It's the price we pay for at least a semblance of privacy in a world that's pushing us to reveal everything.

We have so many sites asking us for passwords and security answers that we can't remember half of them. If we write them down, that doesn't seem too secure either.

One day, perhaps, our personal robots will do it for us. Even then, once they have minds of their own, they might betray us too.