Skip to main content

Most 'Security Questions' Aren't Very Secure

Chances are you don't give much thought to the location of your elementary school, or your mother's maiden name or your favorite literary character — unless, of course, you're trying to recover your password from an online account.

Such so-called security questions, which many websites ask as a first line of defense against a malefactor trying to reset your password, are generally either much easier to guess than anticipated, or too difficult for the average user to remember.

The information comes from Elie Bursztein and Ilan Caron, Google employees writing for the company's online security blog. The researchers studied Google's own security questions and found that they were either too easy to guess, or too difficult to remember. Neither situation is ideal.

Certain questions are easy to guess because of cultural norms. Almost 20 percent of users could guess an English-speaking user's favorite food ("pizza") in a single try.

Given 10 guesses (security questions sometimes don't have a limit on the number of successive attempts), Arabic speakers could guess a first teacher's name with 24 percent accuracy, Spanish speakers could guess a father's middle name with 21 percent accuracy and Korean speakers could guess which city a user was born in with 39 percent accuracy.

Take the flip side of the equation: Answers that are difficult to guess are also difficult to remember. "What is your library card number?" and "What is your frequent flyer number?" stymied potential attackers almost every time, but they also threw their owners for a loop. Only 22 percent of users could remember the former, while only 9 percent recalled the latter.

There are, of course, intermediary questions: those that are easy to remember, but not easy to guess, such as a pet's name or your father's middle name. Still, as Security News Daily (a publication that's since been folded into Tom's Guide) reported, these questions are hardly foolproof. Information such as your address, your family members' names and sometimes even your pet's name are available in public records (or on Facebook).

Google is currently evaluating whether it will continue to use security questions, given their inherent insecurity. In the meantime, Google also uses two-factor authentication in the form of text messages or e-mails to verify users in place of security questions wherever possible, both of which are generally more secure. Other websites may want to follow suit.

For more about security, check out our pages on the best antivirus software, the best Mac antivirus software and the best Android antivirus apps.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.