Google Online Security Blog: New Research: Some Tough Questions for ‘Security Questions’
Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as "What’s your phone number?" or "What’s your frequent flyer number?". We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.
- With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question "What is your favorite food?" (it was ‘pizza’, by the way)
- With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question "What’s your first teacher’s name?"
- With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, "What is your father’s middle name?"
- With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question "What is your city of birth?" and a 43% chance of guessing their favorite food.
Read more . . .