A new paper called “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” taps into data of millions of users worldwide to assess just how safe and effective are password-recovery questions.
How many times have you remembered, if need be, the answer to a recovery question? Chances are, not many. It turns out, according to the study, that not only is this means of protecting your email account largely inefficient, it also opens up an array of possibilities for hackers to easily get access.
Millions of questions and answers have been analyzed at Google in relation to account recovery requests. The findings place the secret questions in two categories. For starters, there is the category where users have a hard time recalling the answers or cannot recall it whatsoever and then there is the category where answers are statistically easy for anyone to guess.
Thus, you either end up having your account blocked or easily vulnerable to security risks.
The reasoning behind introducing account recovery questions is arguably correct. In order users to have access to their own e-mail account, they have to answer a question that should be specific to them and verify who they are.
Yet, this is where the logical flaw intervenes.
In most cases, even for the simplest questions, users purposefully lie in an attempt to increase security. However, these false answers are less likely to be remembered by their creator, although it keeps hacks at a safe distance too. Then, nobody has access to your account.
The same situation occurs with more complicated questions that do not have readily statistical answers at hand. In most cases these refer to numbers and the more complex the answer, the higher the risks of forgetting it within one month of setting it are.
Another telling example featured in the Google paper talks about questions related to food. If asked what your favorite dish is, chances are that until you need the answer to recover your e-mail account, your preferences will have changed. During the first month from setting the question-answer combo, users are 74 percent likely to remember it. Three months later, the chances drop dramatically to 50 percent.
Nonetheless, simple questions which entail simple truthful answers such as city of birth, mother’s maiden name, father’s middle name and others are not safe either, although they present and 80.1 percent chances of being recalled correctly.
Statistically, these are the easiest to hack, in most cases taking people a maximum of 10 guesses or a little looking into your personal data to receive access to e-mail accounts.
Google shed some light into the statistic and published in the paper that a hacker has 24 percent chances of guessing a teacher’s first name, 21 percent chances for answers that contain a father’s middle name and a 39 percent chance of guessing city of birth.
In light of these findings it is recommended that text message verification or alternatively a second email address is enabled.
Reportedly both choices offer safer mediums and users remember reset codes with an increased percentage of 75 to 80 percent.
Another recommendation: don’t leave your phone unattended if text message verification is your e-mail protection version of choice.
Image Source: experience-germany.ca