Study: Answers to "secret questions" are all too easy to guess

Mon May 18, 2009 12:38PM EDT

See Comments (3)

What's your hometown? Your favorite sports team? Your pet's name? Sure, standard "secret" security questions and answers like these might be easy to remember, but they're also a cinch to guess, according to a recent survey.

Technology Review has an interesting post about a soon-to-be-presented security survey, which found that the "secret question" method of resetting a password or otherwise establishing a user's identity is "woefully insecure."

Indeed, the story notes that even ne'er-do-wells who don't know a thing about you have a decent shot of answering such common questions as "What is your favorite town?" and "What is your favorite sports team?"

Researchers from Microsoft and Carnegie Mellon gathered a group of 130 participants for the survey, according to Technology Review, and found that 28 percent of those who "knew and were trusted" by the participants managed to guess their "secret" answers, while those who were "not trusted" by the participants still guessed right a good 17 percent of the time.

For example: Take the standard "What's the name of your pet?" question, guessed right 40 percent of the time by people that the participants "would not trust with their password"—a figure that rises to 45 percent for that old favorite, "Where were you born?," Technology Review reports.

The easiest "secret" answers to guess, of course, are often general ones that don't require any personal knowledge, such as "What is your favorite town?" and "What is your favorite sports team?," the researchers found. After all, if you guess "New York" or "Yankees" enough times, you're bound to unlock a few bank accounts eventually.

And here's the kicker, according to Technology Review: While secret questions are popular because they're supposedly easy to remember, the survey found that one in five people end up forgetting all their "secret" answers.

So, what to do, given that "secret" security questions are so pervasive? (I had to answer some myself recently for an online credit card application.)

Technology Review quotes one security expert who recommends "not choosing questions that may have common answers," such as the "What's your favorite sports team?" example.

And clearly the "What's your home town?" and "What's the name of your pet?" questions are bad bets too, given that even complete strangers could probably dig up the answers without too much trouble.

The Open Web Application Security Project wiki has a few examples of more secure secret questions, such as "What is the first and last name of your first boyfriend or girlfriend," and "Which phone number do you remember most from your childhood?" (That said, I don't care for the "Who is your favorite actor"? question, which seems way to easy to guess.)

Related:
Are Your "Secret Questions" Too Easily Answered? [Technology Review]

Comments on Study: Answers to "secret questions" are all too easy to guess

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 1 Posted by youmember2001 on Mon May 18, 2009 1:30PM EDT Report Abuse

    I find it interesting that the "survey" assumed that users actually answer the questions; I personally never give an answer to the question, but give some type of random statement instead. Normally I use a combination of random "funny" things I say or curse words (I have my own list); including some I made up on my own. Funny enough, it's always managed to work for me.

  • 2 Posted by middlenamefrank on Mon May 18, 2009 3:38PM EDT Report Abuse

    My approach is to ignore the question completely, and input a 'universal' answer that I use for all such questions. My Mother's maiden name is Rohr, so say that I picked that piece of information (I didn't) as my universal answer. I always pick the first question on the list (say, "What is your favorite sports team?") and answer it with "Rohr". This way I have the same password to ALL my accounts (it's a made-up word that nobody else can ever guess, but I'll never forget), and I also have the same reset question answer, which again I'll never forget but nobody will ever guess.

  • 3 Posted by vijayforvictory@ymail.com on Tue May 19, 2009 1:45AM EDT Report Abuse

    Nice article. In my opinion, we need not worry about the questions at all. Whether it is the name of the per or name of the town, if we have a common answers for all such secret questions then we are safe. This can not be tracked by anyone. For example, What is your pet name? "noodles" What is your favorite color? "noodles" and so on.. It is easy to track; easy to remember. You are the only one in the world know the answer. :)

More Posts: 1

Post a Comment

Sign In to Post a Comment