Password security questions remain problematic
A Google study recommends solutions that may be easier and safer.
It's been debated for some time now, but a new Google report brings the conversation closer to a consensus: prompting people to answer questions to retrieve a forgotten password poses a security risk and is often problematic for the user.
The report, titled "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google" analyzed the data of millions of users' interactions with a range of password-recovering questions. The report discovered a hacker would have a 19.7% success rate at guessing answers to popular questions such as "Favorite food?" When geographical location is added to the mix, it's even easier to hone in on the right answers. For example, with 10 guesses an attacker would be able to guess 39% of Korean-speaking users’ answers to "City of birth?"
The report also discovered that the safer the question chosen, the less likely it is the user will remember the answer. The researchers found that of all the questions, the safest ones had "abysmal recall." For example "Library card number?" has a 22% recall and "Frequent flyer number?" only has a 9% recall rate.
The report found that many people purposefully give the wrong answer in the belief that it will make the system more secure, but they are then unable to remember the answer or they choose the same (false) answers, and actually increase the likelihood that a hacker can break in.
The paper, written by Stanford professor Joseph Bonneau with the help of global team of researchers from Google – two of whom are American, one of whom is Israeli and the other French – suggests there are myriad ways to recover passwords that are preferable to the question/answer system.
Having a passcode sent to your cell phone was found to have a success rate 20% better than the most successful question and answer (80.9% vs 60.8%). Similarly, email-based recovery increases the odds of a successful recovery by 14.5%.
Several other methods are also seen as potentially more effective, but have been slow to adopt because of convenience-for-user issues. “Preference-based authentication" is one method. It allows users to choose a number of items (16 is suggested), which they strongly like or dislike, from a large set of items (“rap music," “vegetarian food” etc). However, this idea has not progressed because of the time required to enroll users and authenticate them.
Another idea, this one geared specifically toward social networks, would require users to identify friends in tagged photographs. This is still in the idea phase and raises security issues that may rival the question/answer system.
For now, the question-based method remains popular. Google's security researchers recommend users make sure their account recovery information is current by going through a security checkup. And when prompted to add a phone number or back-up email address, do it. It can help to avoid the issue of someone trying to penetrate your account via the secret questions.
MORE FROM THE GRAPEVINE:
Related Topics: Science