How pathetic those security questions really are
- maryjane48
- Buddha of the Board
- Posts: 17124
- Joined: May 28th, 2010, 7:58 pm
How pathetic those security questions really are
Have you ever been maddened into tossing a vase across a room because you can't remember what your first car was?
Have you ever begun pinching at an eyebrow until it bled because the name of the hospital in which you were born escaped you?
Google is here to tell you it's not worth getting upset.
In a fascinating and ultimately depressing blog post Thursday, Google said that it took a look at "hundreds of millions" of questions and answers that were used for account recovery claims. "We then worked to measure the likelihood that hackers could guess the answers."
What did they discover? Your intimate answers to security questions really aren't all that secure.
"Secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism," according to the post by Elie Bursztein, anti-abuse research lead, and Ilan Caron, software engineer. (They presented their findings at the International World Wide Web conference this week in Florence, Italy.)
For example, when the security question is "What is your favorite food?" there's a 19.7 percent chance that a hacker might guess an English speaker would say "pizza." With just their first guess.
If you happen to be a Spanish speaker and the security question is "What is your father's middle name?" a hacker would need 10 guesses to have a 21 percent chance of getting it right and thereby getting into your bank account.
One revelation might be especially maddening to those who believe they're clever. Some people choose deliberately false answers, thinking they'll put hackers off the trail. However, so many choose the same false answers that hackers apparently find their way in more easily.
Another deeply frustrating issue is the answers that are more difficult to randomly guess. The problem is that the person who gave the answers in the first place forgets them entirely. Part of the problem, in my experience, is forgetting the precise formulation of the answer. If you don't get it just so, the machine rejects your answer.
However, Google discovered that, for example, the question: "What is your first phone number?" only got a 55 percent success score among those who should actually know the answer.
The final parameter Google looked at was the notion of not one question, but two together. Surely this would make things safer. Well, perhaps.
It's true that there's only a 1 percent chance that a hacker could get both (easy) security questions right after 10 guesses. The slight kink is that there's only a 59 percent chance that the person who gave the original answers would get them right.
http://www.Castanet.com/news/google-shows-h ... eally-are/
Have you ever begun pinching at an eyebrow until it bled because the name of the hospital in which you were born escaped you?
Google is here to tell you it's not worth getting upset.
In a fascinating and ultimately depressing blog post Thursday, Google said that it took a look at "hundreds of millions" of questions and answers that were used for account recovery claims. "We then worked to measure the likelihood that hackers could guess the answers."
What did they discover? Your intimate answers to security questions really aren't all that secure.
"Secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism," according to the post by Elie Bursztein, anti-abuse research lead, and Ilan Caron, software engineer. (They presented their findings at the International World Wide Web conference this week in Florence, Italy.)
For example, when the security question is "What is your favorite food?" there's a 19.7 percent chance that a hacker might guess an English speaker would say "pizza." With just their first guess.
If you happen to be a Spanish speaker and the security question is "What is your father's middle name?" a hacker would need 10 guesses to have a 21 percent chance of getting it right and thereby getting into your bank account.
One revelation might be especially maddening to those who believe they're clever. Some people choose deliberately false answers, thinking they'll put hackers off the trail. However, so many choose the same false answers that hackers apparently find their way in more easily.
Another deeply frustrating issue is the answers that are more difficult to randomly guess. The problem is that the person who gave the answers in the first place forgets them entirely. Part of the problem, in my experience, is forgetting the precise formulation of the answer. If you don't get it just so, the machine rejects your answer.
However, Google discovered that, for example, the question: "What is your first phone number?" only got a 55 percent success score among those who should actually know the answer.
The final parameter Google looked at was the notion of not one question, but two together. Surely this would make things safer. Well, perhaps.
It's true that there's only a 1 percent chance that a hacker could get both (easy) security questions right after 10 guesses. The slight kink is that there's only a 59 percent chance that the person who gave the original answers would get them right.
http://www.Castanet.com/news/google-shows-h ... eally-are/
- GordonH
- Сварливий старий мерзотник
- Posts: 39064
- Joined: Oct 4th, 2008, 7:21 pm
Re: how pathetic those security questions really are
I say good luck figuring out my security question answers. Since none of the places are around anymore and haven't been for years.
Last edited by GordonH on May 24th, 2015, 7:53 pm, edited 1 time in total.
I don't give a damn whether people/posters like me or dislike me, I'm not on earth to win any popularity contests.
- mexi cali
- Guru
- Posts: 9696
- Joined: May 5th, 2009, 2:48 pm
Re: how pathetic those security questions really are
Cool. Where are they?
Praise the lord and pass the ammunition
- Glacier
- The Pilgrim
- Posts: 40464
- Joined: Jul 6th, 2008, 10:41 pm
Re: how pathetic those security questions really are
lakevixen wrote:Have you ever been maddened into tossing a vase across a room because you can't remember what your first car was?
I have a trick that helps me remember my security questions every time... I provide the same answer no matter the question is. I sort of just randomly selected the question" What is your mother's maiden name?" or "who is the lamest poster on Castanet?" and then just answer with "blue cheese." Therefore, I don't have to even read the security question in order to answer it correctly. I figure that the double bonus is that no one is going to guess my mom's maiden name is "blue cheese."
Last edited by Glacier on May 24th, 2015, 6:22 pm, edited 1 time in total.
"No one has the right to apologize for something they did not do, and no one has the right to accept an apology if the wrong was not done to them."
- Douglas Murray
- Douglas Murray
-
- Walks on Forum Water
- Posts: 12496
- Joined: Mar 19th, 2005, 12:06 pm
Re: how pathetic those security questions really are
Glacier wrote: I figure that the double bonus is that no one is going to guess my mom's maiden name is "blue cheese."
Of course not, everyone knows it's Swiss Cheese. 8-P
"Death is life's way of saying you're fired!"
-
- Guru
- Posts: 9482
- Joined: Apr 3rd, 2008, 9:22 am
Re: How pathetic those security questions really are
Fortunately for castanet users, if you try to post your password in a message, it shows up as *s.
My password is ************. See?
(hunter2)
My password is ************. See?
(hunter2)
Health forum: Health, well-being, medicine, aging, digital currency enslavement, depopulation conspiracy.
If you want to discuss anything real, you're in the wrong place.
If you want to discuss anything real, you're in the wrong place.
- StraitTalk
- Lord of the Board
- Posts: 3702
- Joined: May 12th, 2009, 4:54 pm
Re: How pathetic those security questions really are
I've been using a 8 digit code for all security answers since forever. Doesn't matter what the questions are. :P
-
- Slot 16
- Posts: 22663
- Joined: Nov 27th, 2004, 12:33 pm
Re: How pathetic those security questions really are
LordEd wrote:Fortunately for castanet users, if you try to post your password in a message, it shows up as *s.
My password is ************. See?
(hunter2)
A heads up to the innocent among ye who might not get the joke: Do NOT post your password in a message here, it will, in fact, reveal your password.
-
- Guru
- Posts: 9482
- Joined: Apr 3rd, 2008, 9:22 am
Re: How pathetic those security questions really are
The joke's reference. Its an old one: http://www.bash.org/?quote=244321
Health forum: Health, well-being, medicine, aging, digital currency enslavement, depopulation conspiracy.
If you want to discuss anything real, you're in the wrong place.
If you want to discuss anything real, you're in the wrong place.
-
- Slot 16
- Posts: 22663
- Joined: Nov 27th, 2004, 12:33 pm
Re: How pathetic those security questions really are
It is a good one - but I maintain that at least one person out there will seriously believe it to be true and will try it, lol.
-
- Guru
- Posts: 9482
- Joined: Apr 3rd, 2008, 9:22 am
Re: How pathetic those security questions really are
I did that on a Facebook thread once. Something security related. At least 1 password that wasn't hunter2 was posted.
It's a good lesson. Not everything posted online is true.
And now I must return to my Nigerian Prince duties.
It's a good lesson. Not everything posted online is true.
And now I must return to my Nigerian Prince duties.
Health forum: Health, well-being, medicine, aging, digital currency enslavement, depopulation conspiracy.
If you want to discuss anything real, you're in the wrong place.
If you want to discuss anything real, you're in the wrong place.