Security Questions

Courtesy of

What did your grandfather’s sister name her 347th mature hair follicle? You don’t remember the custom security question that you created in case you forgot your password? According to a study published by Google, you’re not alone!

In Google’s study they “analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. [They] then worked to measure the likelihood that hackers could guess the answers.” What they found was answers to security questions fall into one of two camps. Either the answer cannot be reliably recalled by the user or it is static information (easy answers) that is often publicly available; i.e. what is your mother’s maiden name.

In the first category, people oft-times either choose obscure questions and don’t give a lot of thought tot their answer or people make up false answers believing it will somehow make it more secure. However, three months down the line when you’re trying to think about what you had for dinner the night you created that security question, you’ll regret being so non-nonchalant. (At that point you’ve outsmarted even yourself!) Google’s study found that “40% of our English-speaking US users couldn’t recall their secret question answers when they needed to!”

On the converse side of that is answering the easy/static questions. In other words, using information such as your mother’s maiden name or the city in which you were born. However, with the way in which social media and the internet has plastered our information across the universe, using such simple questions becomes increasingly insecure. Try an experiment. See how long it takes you to figure out your best friend’s mother’s maiden name. (Hint: Send a text to your friend and ask if their mom’s maiden name is Topply. They will likely respond with, “No, it is XYZ Maiden Name.” You just successfully used a form of hacking known as social engineering to hack your best friends account. Act responsibly from that point forward.)

To give you an idea of how insecure these types of answers actually are, Google published some interesting statistics. With ten guesses the attacker has the following percentage chance of guessing your security question:

  • 24% chance of guessing your first teacher’s name
  • 21% chance of guessing your father’s middle name
  • 39% chance of guessing your city of birth

The last bullet point shouldn’t be a surprise considering that birth certificates are public records. So logically you would think having two easy/static security questions would be a more secure approach right? You’re absolutely right, but it also has a severe impact on the user’s recall rate. According to the study, the attacker has a mere 1% of guessing both answers while the user has only a 59% recall rate with two security question.

So what does Google suggest? Text message verification. “Users could remember reset codes sent via text message or email 75% [to] 80% of the time.” A hacker would likely need to know you and gain access to your phones text messages to be able to hack your account.

Seems a lot more secure right? However, if you live in a college dorm or with a family that likes to hack your social media statuses, this may not be the most secure approach either. All a malicious friend needs to do is wait for you to leave your phone out somewhere and then request a recovery code, glance at the smartphone for the lock screen text notification with the security code, enter the security code, and now your “so-called” friend can post embarrassing Facebook posts to their heart’s content. (It took my mother months to figure out how we were hacking her Facebook account to leave goofy statuses.)

They both have their pro’s and cons. If you’re in a dorm room situation and want to continue to use security questions, has recommended the following attributes for your answers to security questions:

  • Safe – Hard to guess and not readily available online
  • Stable – Unchanging (How much gas is currently in your tank is probably not a good response.)
  • Memorable – Example: What is the worst brand of spaghetti sauce you’ve ever had? (This would be applicable if you’ve had a specific traumatic spaghetti experiences.)
  • Simple – Questions that can be answered in a number of ways make for a challenging response, especially when their often case-sensitive.
  • Many – This should be a response where there are many types of answers in the world, but your response is consistently unique.

If you’re done with security questions and want a more secure way to use cell phone notification, simply turn off lock-screen notifications and add a pin. Then, use the fingerprint scanner as much as possible to avoid wandering eyeballs. (It might be time to upgrade to the iPhone 6.)

Regardless of your approach, you will want to apply the above stated best practices to ensure increased security. A hacked Facebook status is only menially damaging. A hacked bank account can have a much more severe and lasting impact. Stay safe.

What are your thoughts on Google’s findings. How are you going to be more secure with your accounts? Let us know in the comments below. (Your strategies, not your security question answers. Don’t be like those people on Jimmy Kimmel.)

Below is the infographic that Google created from the study:

Security Questions

Courtesy of Google