Many companies, especially those financial institutions, ask users to answer some additional security questions, the intention is to provide one more layer of security defense to protect users’ information. For example, if a user forgot password, the system will ask the user to answer some of the security questions, if the questions are answered correctly, an email will be sent to the user with a password reset link in it. This is designed to prevent password from being leaked to an email account that has been hacked. However, I have never considered those security questions helpful or useful, except annoying and troublesome to users, because if a user’s email account has been compromised then it will not take attacker long to find the information from the emails of the user, so I never provided correct answers to any of those questions.
Recently, Google provided data to prove that the password security questions are useless. According to Google Online Security blog:
- With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question “What is your favorite food?” (it was ‘pizza’, by the way)
- With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question “What is your city of birth?” and a 43% chance of guessing their favorite food.
How about providing fake answers?
Some users including me realized that the security questions are useless, so they only provide fake answers to those questions. But it is not the best solution, because:
- User must consistently providing fake answers, and it only works if the questions are consistent.
- If user must provide fake answers, then why ask those questions in the first place?
What to do then?
Google didn’t ask user to abandon those security questions, but recommend users and companies to think twice before implementing this feature. If you have a Google account, then you should follow Google’s Security Checkup to make sure your Google account is secure.