New research from Google has highlighted the risks many of us take when we quickly answer those ubiquitous security questions on websites after we create our passwords. These security questions and answers are especially important because they tend to be used on the sites that are most important to us from a security perspective — financial sites and online email services.
The problem is that the questions tend to be similar across sites (e.g., “Where were you born?,” “What’s your favorite food?”, “What was your first car?”, etc.), and our answers tend to be either easy to guess or fairly common or both.
Specifically, Google found:
- With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question “What is your favorite food?” (it was ‘pizza’, by the way)
- With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question “What’s your first teacher’s name?”
- With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, “What is your father’s middle name?”
- With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question “What is your city of birth?” and a 43% chance of guessing their favorite food.
So some easy suggestions to make things safer for you?
One is to sign up for two-factor authentication wherever it is offered.
Another is to think of more complex or creative answers to these questions when they are asked of you. Be more specific. Much more specific. Use slang or a nickname only you might know. Put some random characters in the answer to make it unguessable. Google found these kinds of practices meant that people would have trouble remembering the answer to a security question, but that’s what SplashID is for! Try putting the question and answer in another field in your web login record or in your record’s notes field.