26.05.2015 15:40:46

Google: Password Security Questions Unreliable

(RTTNews) - A study from search engine giant Google Inc. (GOOG) has revealed that security questions for passwords are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

The company analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google, and then worked to measure the likelihood that hackers could guess the answers.

According to Google, the security questions suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.

Google noted that easy answers often contain commonly known or publicly available information, or are in a small set of possible answers for cultural reasons.

The company said that with a single guess, an attacker would have a 19.7 percent chance of guessing English-speaking users' answers to the question "What is your favorite food?

Similarly, with ten guesses, an attacker would have a nearly 24 percent chance of guessing Arabic-speaking users' answer to the question "What's your first teacher's name?"

Also, with ten guesses, an attacker would have a 21 percent chance of guessing Spanish-speaking users' answers to the question, "What is your father's middle name?"

For Korean-speaking users, with ten guesses, an attacker would have a 39 percent chance of guessing their answers to the question "What is your city of birth?" and a 43 percent chance of guessing their favorite food.

Many different users also had identical answers to secret questions like "What's your phone number?" or "What's your frequent flyer number?"

According to Google's data, the easiest question and answer is "What city were you born in?". Users recalled this answer more than 79 percent of the time. The second easiest example is "What is your father's middle name?", which was remembered by users 74 percent of the time.

If an attacker had ten guesses, they would have a 6.9 percent and 14.6 percent chance of guessing correct answers for these questions, respectively.

Google also found that difficult secret questions and answers, like where your mother went to elementary school or what your library card number is, are often hard to use.

Further, the company found that adding more questions significantly reduces the chances of people recovering their accounts.

Google said, "We strongly encourage Google users to make sure their Google account recovery information is current...In parallel, site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience."

The findings of the analysis were summarized in a paper recently presented at WWW 2015.

Nachrichten zu Google (A)mehr Nachrichten

Keine Nachrichten verfügbar.

Analysen zu Google (A)mehr Analysen

Eintrag hinzufügen
Hinweis: Sie möchten dieses Wertpapier günstig handeln? Sparen Sie sich unnötige Gebühren! Bei finanzen.net Brokerage handeln Sie Ihre Wertpapiere für nur 5 Euro Orderprovision* pro Trade? Hier informieren!
Es ist ein Fehler aufgetreten!