How pathetic those security questions really are

[maryjane48]

Have you ever been maddened into tossing a vase across a room because you can't remember what your first car was?

Have you ever begun pinching at an eyebrow until it bled because the name of the hospital in which you were born escaped you?

Google is here to tell you it's not worth getting upset.

In a fascinating and ultimately depressing blog post Thursday, Google said that it took a look at "hundreds of millions" of questions and answers that were used for account recovery claims. "We then worked to measure the likelihood that hackers could guess the answers."

What did they discover? Your intimate answers to security questions really aren't all that secure.

"Secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism," according to the post by Elie Bursztein, anti-abuse research lead, and Ilan Caron, software engineer. (They presented their findings at the International World Wide Web conference this week in Florence, Italy.)

For example, when the security question is "What is your favorite food?" there's a 19.7 percent chance that a hacker might guess an English speaker would say "pizza." With just their first guess.

If you happen to be a Spanish speaker and the security question is "What is your father's middle name?" a hacker would need 10 guesses to have a 21 percent chance of getting it right and thereby getting into your bank account.

One revelation might be especially maddening to those who believe they're clever. Some people choose deliberately false answers, thinking they'll put hackers off the trail. However, so many choose the same false answers that hackers apparently find their way in more easily.

Another deeply frustrating issue is the answers that are more difficult to randomly guess. The problem is that the person who gave the answers in the first place forgets them entirely. Part of the problem, in my experience, is forgetting the precise formulation of the answer. If you don't get it just so, the machine rejects your answer.

However, Google discovered that, for example, the question: "What is your first phone number?" only got a 55 percent success score among those who should actually know the answer.

The final parameter Google looked at was the notion of not one question, but two together. Surely this would make things safer. Well, perhaps.

It's true that there's only a 1 percent chance that a hacker could get both (easy) security questions right after 10 guesses. The slight kink is that there's only a 59 percent chance that the person who gave the original answers would get them right.

http://www.Castanet.com/news/google-shows-h ... eally-are/

[GordonH]

I say good luck figuring out my security question answers. Since none of the places are around anymore and haven't been for years.

[mexi cali]

Cool. Where are they?

[Glacier]

Have you ever been maddened into tossing a vase across a room because you can't remember what your first car was?

I have a trick that helps me remember my security questions every time... I provide the same answer no matter the question is. I sort of just randomly selected the question" What is your mother's maiden name?" or "who is the lamest poster on Castanet?" and then just answer with "blue cheese." Therefore, I don't have to even read the security question in order to answer it correctly. I figure that the double bonus is that no one is going to guess my mom's maiden name is "blue cheese."

[LoneWolf_53]

I figure that the double bonus is that no one is going to guess my mom's maiden name is "blue cheese."

Of course not, everyone knows it's Swiss Cheese. 8-P

[LordEd]

Fortunately for castanet users, if you try to post your password in a message, it shows up as *s.

My password is ************. See?

(hunter2)

[StraitTalk]

I've been using a 8 digit code for all security answers since forever. Doesn't matter what the questions are. :P

[Jo]

Fortunately for castanet users, if you try to post your password in a message, it shows up as *s.

My password is ************. See?

(hunter2)

A heads up to the innocent among ye who might not get the joke: Do NOT post your password in a message here, it will, in fact, reveal your password.

[LordEd]

The joke's reference. Its an old one: http://www.bash.org/?quote=244321

[Jo]

It is a good one - but I maintain that at least one person out there will seriously believe it to be true and will try it, lol.

[LordEd]

I did that on a Facebook thread once. Something security related. At least 1 password that wasn't hunter2 was posted.

It's a good lesson. Not everything posted online is true.

And now I must return to my Nigerian Prince duties.