Google recently studied the security of security questions and found that they are a pretty poor approach.

According to their findings, if a question is easy to remember, it’s also fairly easy to guess. If a question is hard to guess (like a library card number), it’s also hard to remember, which leads to frustration.

This makes complete sense to me. I’ve had a number of instances where I had to call customer service to help me log in to a site because, not only could I not remember the answer to the question, I couldn’t remember ever answering the question, so I couldn’t even make my own reasonable guess.

They didn’t cover another problem with security questions. They are easy to social engineer. Test this yourself. Assuming you can remember any, think of a couple of your own security questions and answers and then look at your Facebook page. If you are like a lot of people, you use “place of birth,” “favorite movie,” “mother’s maiden name” or the like. It’s pretty easy to use social engineering to friend someone on Facebook and then, voila! You have access to a supply of answers to security questions. (Hint, even Friending me will not get you my favorite movie or book. I’ve deliberately avoided mentioning either on Facebook. Nor is pizza my favorite food.)

Two-Step verification, where you have to enter a verification code sent via text message is much more secure and doesn’t require you to remember something.

Google has summarized much of their findings in this handy infographic.

Beutler_Google_passwords-v6

So what about you? What kinds of security questions do you use, and how do you keep your answers safe?

9 COMMENTS

  1. When you get to a certain age, the questions are ridiculous. What was the name of my first grade teacher? You’ve got to be kidding. What street did you live on when you were 10? Haven’t a clue; we moved a lot. I’m with you; I would much rather receive a set of numbers by text.

  2. Funny. I reamed out a security rep at my bank once about the impossibility of remembering the answers to the twenty questions routine they like to play – was my first school “Millers Gap?” Or was it “Millers Gap Elementary?” Or was it Millers Gap Elementary School?” She told me to use the same word as the answer to all my security questions. So now my answer to first school is “Neuse River.” My answer to dad’s middle name is “Neuse River.” My answer to town of birth is “Neuse River.” It works good. It makes the bank security rep feel like everything is really tight and secure. Personally, I’m not so sure…

  3. There are apps that allow you to securely record these things or you can simply use an encrypted document or, if you are an Apple user, the system Keychain. All of these approaches subsume mundane security info (Q&A, passwords, usernames, etc.) under a single password or key. THAT key better be good.
    Then there is two-factor authentication but banks and other such institutions don’t seem to have caught up to that yet.
    I suspect that a lot of this rigamarole is about blame shifting. Institutions has a need to be able to plausibly argue that the victim chose guessable keys.

  4. As Marilyn hinted, it’s a bad idea to answer security questions correctly. You’re probably better off to rely on a password vault tool, and use random answers to the security questions and save the answers along with the passwords in the vault. It’s more work, but people won’t be able to break into your account by guessing.

  5. Like several of you, I never answer those questions truthfully. As a Mac user, I much prefer 1Password to store my passwords, and all the fake answers to these questions. The only time I ran into a big problem was when I put a fake answer for “mother’s maiden name” at a bank site where the bank already knew the correct answer (because it was needed for the original account set-up and background check long before they thought about online banking). Red flags went up, and I was locked out and had to call and get it all fixed. At least this bank gave thought to the lack of security and adjusted their security questions.

The TeleRead community values your civil and thoughtful comments. We use a cache, so expect a delay. Problems? E-mail newteleread@gmail.com.