We’ve long known that humans are really, awfully bad at choosing passwords. Just terrible.
Well, it turns out that we’re just as bad at answering those secret, security questions like “What was your first pet’s name?” or “What’s your favourite food?” too.
We’re so bad at it that when we try to be good at it, we actually get worse.
Secret questions like the ones above are often used to supplement passwords on websites and as an authentication method in password recovery systems.
The reason that they’re used in password recovery systems is that in theory they’re supposed to be both secure and memorable. Recently some researchers at Google decided to find out if that idea held up in practice.
We conclude that it appears next to impossible to find secret questions that are both secure and memorable.
The problems with passwords are well understood and well documented, and all boil down to the fact that the whole idea of passwords seems to have been dreamt up in a vacuum by maths nerds.
Passwords are fine in theory – hit about twelve keys on your keyboard completely at random, commit them to memory and don’t tell anyone else. Now repeat that about twenty five more times so that you have a unique, strong password for every different site and service you use.
Do that and your accounts are pretty much as safe as houses.
The trouble is, the theory relies on humans being quite good at something our biology doesn’t want to do. Our brains are singularly unsuited to either generating randomness or remembering it.
It should be no surprise then that secret questions suffer a similar fate for similar reasons.
The theory behind secret questions is fine. They ought to be more memorable than passwords because:
- They rely on cued recall; and
- They’re things we’d remember anyway.
Unfortunately the kinds of questions that are easy to remember are often insecure because answers are common or distributed unevenly across the user population.
According to research cited by the Google paper, about 40% of questions are things like “Who’s your favourite superhero?” where there is a “trivially small” number of answers.
That means that attackers are only a few good guesses away from your secret stuff.
It’s even worse if we choose the questions ourselves. The chances are that if we’re let loose to decide our own questions then we’ll choose questions with very few possible answers.
If the number of possible answers increases, attackers can rely on the fact that because we’re all very similar, our answers tend to be too:
Statistical attacks against secret questions are a real risk because there are common answers shared among many users. For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question "Favorite food?".
The researchers also determined that attackers can use cheap crowd-sourcing tools like Amazon’s Mechanical Turk to determine the likely distribution of answers within a user population quite easily.
Some questions are harder to crack this way because each person’s answer should be unique or at least very, very rare. The trouble is, we find those answers more difficult to remember.
The potentially safest questions have abysmal recall: ... "Library card number?" has a 22% recall and "Frequent flyer number?" only has a 9% recall rate.
... The decay of memorability over time is greater for questions about numbers assigned to people vs personal questions: for the question "Frequent flyer card number?" the recall rate decreased by 18% after a month.
And it doesn’t stop there.
The researchers also uncovered that in an effort to be more secure, people often lie and because we’re so very bad at trying to be unpredictable our lies make the answers easier to guess and therefore less secure.
We’re also less likely to remember our lies:
...people provide untruthful answers to secret questions because they try to make it harder to guess (37% of the 1500 respondents) or easier to remember (15%). Ironically of course, this behavior achieves exactly the opposite effect.
As time goes by we also get worse at remembering our answers, particularly our lies.
If we do forget, we might be able to remind ourselves by looking at our public records and outpourings because, according to research by Ariel Rabkin:
...16% of questions had answers routinely listed publicly in online social networking profiles ... Other questions can be found in publicly available records. For example, at least 30% of Texas residents' mothers' maiden names can be deduced from birth and marriage records.
That’s assuming we don’t just pony up the answer when we’re asked. Another researcher, Chris Karlof, was able to use email phishing to extract answers from 92% of his targets.
The performance of personal knowledge questions is so bad that the authors recommend that websites restrict their use to low risk situations. For password recovery, email and SMS-based systems are, they say, more secure and more reliable.
As a user you may not have a choice about what form of password recovery you’re offered so if you find yourself faced with personal knowledge questions I recommend you treat them as additional passwords.
Passwords might be a poor fit for humans but we’ve been living with them long enough that there is at least some useful technology to knock the sharpest corners off.
To avoid using common, easy to guess or poorly-chosen answers, generate yourself some random combinations of letters, numbers and wacky characters and store them in a password manager.
Image of girl, something forgotten and beats his hand on the head courtesy of Shutterstock.