May 25, 2015 · 2 minutes

Google researchers claim that the answers to many of the security questions used to recover an online account -- often after someone has forgotten their password or tries to log in with a new device -- aren't particularly secure.

These problems were identified after the researchers "analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google" to determine how secure the questions are.

The first problem is that hackers can often guess the answers to easy questions about someone's favorite food or their city of birth because they aren't unique. For example, a hacker with one try has an estimated 19.7 percent chance of correctly guessing that an English speaking user said pizza is their favorite food.

Part of this problem is that many people chose to lie about the answers to some questions -- and they chose the same lie as other consumers. Google explains:

Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as "What’s your phone number?" or "What’s your frequent flyer number?". We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.
The second problem is that people can't remember the answers to questions that would be harder to guess. As an example, people asked to remember their frequent flier number, which is unique to them and difficult for someone to randomly guess, only remembered that number about 9 percent of the time.

Memories don't only fail when long, barely-used numbers are concerned. People also have a hard time remembering the answers to multiple questions:

According to our data, the ‘easiest’ question and answer is "What city were you born in?"—users recall this answer more than 79% of the time. The second easiest example is "What is your father’s middle name?", remembered by users 74% of the time. If an attacker had ten guesses, they’d have a 6.9% and 14.6% chance of guessing correct answers for these questions, respectively.

But, when users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark. The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result. Similar problems apply to passwords. People either use the same password for multiple accounts -- which Starbucks customers recently learned is a bad idea -- or forget the unique string of alphanumeric characters used for each one.

So what should people do? Well, so far as Google is concerned, they should make sure they remember the answers to their security questions and have a recent phone number or backup email address on file. That way the company can send them unique codes that offer some security without too much hassle.

But so far as the rest of the Web is concerned? Many people are probably best off using a password manager and storing the answers to hard-to-guess security questions in a safe place. Beyond that, a rabbit's foot might come in handy.

[illustration by Brad Jonas]