Study: password resetting 'security questions' easily guessed

Study: password resetting 'security questions' easily guessed

Summary: How secret are in fact the 'secret questions' used for resetting forgotten passwords? Not so secret after all, according to a just published study entitled "It's no secret: Measuring the security and reliability of authentication via 'secret' questions" according to which 17% of the study's participants were not only able to answer the 'secret questions' of strangers, but also, that the most popular questions were in fact the easiest ones to answer.

TOPICS: Security

How secret are in fact the 'secret questions' used for resetting forgotten passwords? Not so secret after all, according to a just published study entitled "It's no secret: Measuring the security and reliability of authentication via 'secret' questions" according to which 17% of the study's participants were not only able to answer the 'secret questions' of strangers, but also, that the most popular questions were in fact the easiest ones to answer.

Here's an abstract from the study presented at this year's IEEE Symposium on Security and Privacy, by Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman :

"We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool."

Moreover, upon assessing the memorability of the 'secret questions', the user study involving 130 participants (64 male and 66 female) also found out that the harder ones to guess were also the hardest ones to remember.

Two similar recently conducted studies confirm these findings. For instance, in "Choosing Better Challenge Questions" Mike Just and David Aspinall found out that users also tend to stick to low entropy answers which are potentially vulnerable to brute forcing attacks. The researchers came to the same conclusion in their second study "Challenging Challenge Questions" pointing out that given the average answer length of less than 8 characters, the authentication system relying upon only a single security question is highly vulnerable to brute force attack.

And whereas brute forcing attempts against the security questions is a feasible attack tactic, malicious attacks tend to be a little bit more pragmatic than that, especially in a Web 2.0 world where the majority of their potential victims have already unconsciously/consciously published the answers to their security questions on the Web.

Case in point - the applicability of their findings can be confirmed through real-life incidents. For instance, the Sarah Palin hacker managed to reset her password by Googling for the answer to her 'secret question', followed by two similar password resetting attacks aimed at Twitter employees throughout the past one year. Moreover, a huge percentage of the commercial 'password recovery services' or email hacking for hire propositions rely on password resetting attacks next to the plain simple malware infection, and attempt to exploit a XSS flaw within a particular web based email service provider.

All of these findings, combined with the misalignment of the end user's perception of security offered by security questions and the extend to which the answers have already been made public, can be summarized with a single security tip - make sure that you don't tweet about how much fun you had on your honeymoon in Paris a couple of years ago, when your security question is "Where did you spend your honeymoon?", which you would have presumably answered correctly.

What do you think, are security questions a viable form of authentication? Talkback.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Always been questionable.

    It's always been a questionable method.

    I've been listening to an internet security podcast - and frankly, we've known this for years. It's a pretty poor way to recover passwords.
  • RE: Study: password resetting 'security questions' easily guessed

    Well no one said you have to give an accurate answer to the question. You just give an answer you are likely to remember but other people are unlikely to guess.

    Question: What was your first pet's name?
    Answer: "Modern Automotive Mechanics"

    Doesn't address the brute force thingy, but it's a start.

    (or whatever)
  • RE: Study: password resetting 'security questions' easily guessed

    Part of the problem is the standardized set of questions used. I prefer sites that let me create my own questions. Two advantages here. I can word the question in such a way that I know what it's asking but it isn't so obvious to someone else and then put in the answer as I see it. As Oorang mentioned they don't have to match, be spelled correctly. Just have to make sure the question and answer have a link for me. I also like pass phrases, longer (128 to 256 characters max) and harder to guess but personally I find them much easier to remember.
  • RE: Study: password resetting 'security questions' easily guessed

    My first defence is to choose sites which allow me to frame my question.

    Next I use a question which is a combination of more than one language - I know 6 Indian languages and one of them is a very rare, non-scripted language! One or two words from each language and only I can answer it!

    Stretching this further, the answer is also in one language and the question has the name of that language.

    Finally the question is about something at home - so no one really knows the answer except me.

  • RE: Study: password resetting 'security questions' easily guessed

    I would think that the sure way to make the answer impossible to guess is for the one answering not to use the CORRECT or even necessarily related answer to the question. Once the answer is at variance with the truth to that extent the whole world is potentially the answer given.
    • Addendum to initial comment

      Also, if the answers given are way out of reality and extremely difficult for the person to remember then all the better, except the person must keep a record of all questions and answers given in a separate securely protected database, of all Q's and A's to all his protected sites, for which the main access password is unique to that database, never before or after used and can be remembered without fail. Otherwise, his access to all sites is lost forever.
      • Pass on Security Questions

        I agree with thirdteam. In fact, if possible, choose questions that have no answer; i.e., "What was the name of your first pet?" If one has never had a pet (yes, there are people like that), one can answer anything. The downside is that all the answers must be recorded in a secure database, but we have to keep that anyhow, because there are so many user IDs and passwords to keep track of.

        So now we are reduced to lying to protect our privacy. What a sad commentary on our "open" society.
        • The state of society

          You got it right. The only answer to that is what a friend of mine does. He stays off the internet and any connection of any sort outside his standalone computer.
  • RE: Study: password resetting 'security questions' easily guessed

    I've always believed that requiring answers to these 'security questions' actually injects significant vulnerabilities into any security paradigm. I like the response above though that suggested answering those questions with incorrect info, though I wonder how well I might remember any such incorrect answers anyways.
    • Response to question of remembering

      I think that maybe my addendum to my initial response will provide you the answer. Take a look.
    • RE: Study: password resetting 'security questions' easily guessed

      I remember hearing a supposed Lincoln quote in elementary school, that "No one has a good enough memory to be a successful liar." I am the perfect example of that. For me it has to be a question to which the answer will NEVER change. It can't be something like your favorite author, because that could change next time you go to the library, and then what. Or that could be something that is public knowledge among everyone you know because you talk about him all the time.
      I do remember the name of my first pet, and no one is likely to remember it but me, even in the family, because to the rest of them, he wasn't their first pet.
      David E Cook
  • What do you think, are security questions a viable form of authentication?

    Was that a covert secret question and by answering it will I be inadvertantly allowing you to access all my password-protected websites?
  • institutions avoid upgrade costs at our expense

    No. Security questions are barely better than none at all. This is similar in principle to using WEP on a wireless network. Organizations must move to two factor security using smart cards. This is widely done in Europe. Why are we so behind on this in the US? Cost. Organizations don't care about securing our information. They care about satisfying the law which requires due diligence. If the security question method is considered due diligence, then they have performed their legal duty even if customers continue to get compromised. It is this kind of hesitance to move forward that eventually causes the state and federal governments to write legislation requiring action. When that happens, it is far more sweeping and far more expensive. Get with it US companies! Implement two factor security.
  • RE: Study: password resetting 'security questions' easily guessed

    Don't put in answers to security questions as requested.
    Just put in some really off the wall questions that don't fit the norm. An example would be: what is your favorite game? Ans: Smithsville It works fine.
  • Sheesh, we've got fingerprint scanners in 8m HP consumer laptops next year

    So why isn't ANYONE realizing that you can use fingerprint scanners for strong authentication of anyone over the internet? Look at what McKesson uses for Accudose, or what the US Federal Courts uses for their web-based probation check-in. The funniest irony is that product managers for online services say, "we are't offering it, because no one's asking for it," when the average user has no clue that it can even be done. Ask the horse-and-buggy crowd what they wanted, and they wouldn't describe a freakin automobile, people! I'm about to give up trying to help address this - too much stupidity.
    • Fingerprint scanners?

      What if the person that owns the device that haves a fingerprint scanner dies? Then what?
      • RE: Study: password resetting 'security questions' easily guessed

        Then, who cares? If I am dead, you can hack my all you want, or not. But settling your estate is not likely going to happen by getting past your online-banking login. It will be done through the probate court and an entirely different process of validation using a death certificate and so on.
        David E Cook
  • RE: Study: password resetting 'security questions' easily guessed

    Yes, I do think they are a viable method of authentication. Problem is, the mainstream isn't given the info to not use anything publicly known. If all they provide are questions wanting publicly known data, then mentally modify it. There is NO reason you have to use a legitimate answer: Make it a strong password instead. Nothing forces you to give your high school graduated, or year, and they sure don't care what you use for an answer. Make it something like My highschool was <password> in which I excelled in <password>. Or <password> this is a really <password> stupid question<password>.If you dont' have multiple passwords, or want to make say 3 new ones, use variations on the one you do have, adding prefix/suffix, whatever. A little thought goes a long ways.
    IF you care, that is. Do I care if anyone hacks my password here? No, not a whit. So use a little common sense too.
    Then DOCUMENT it! I have no sympathy for those who "lose" a password more than once.
  • RE: Study: password resetting 'security questions' easily guessed

    If systems just follow this article, everything should be all set...
  • RE: Study: password resetting 'security questions' easily guessed

    I have gone through the article, I think, it is a very appropriate article written on a subject which needs attention , especially when a lot of social networking sites are coming up which vary in content from Job, Professional Networking to Family and Friends. People post almost all sorts information across these sites and any hacker can now use social engineering techniques, by searching these social networking sites, most of these "Security Questions" can be answered correctly.

    Security Questions have been into implementation for quite sometime but now they are no longer safe, I think with the change of the environment, these kind of logical controls should be reevaluated.

    Tarun Gupta