Why You’re Answering Password Security Questions Wrong
When we sign up to a new online service, we are invariably asked to create a password. This immediately secures the new account. If you’re sensible, you choose a long, completely random string, or let a password management app do the work for you. Next in the sequence comes security questions.
These questions usually ask for your mother’s maiden name, the name of your elementary school, the name of your first pet, and so on. Designed to keep our accounts safe from would-be hackers, the security questions should act as an extra line of defence.
How do you answer those questions? Do you tell the truth, the whole truth, and nothing but the truth? Unfortunately, your truthfulness could be creating an unexpected chink in your online armor. Let’s take a look at exactly how you should be answering those questions.
A Protective Barrier
Password hints are undoubtedly helpful. A helpful hint will be displayed if you forget your Windows password. And this is after only a single failed attempt. In the case of the Windows password, your hint should refresh your memory. It reminds you using a hint you have selected, so you can be as cryptic or open as you feel.
Security questions are different. We regularly face the familiar question combinations I mentioned above, and willingly provide accurate answers. Security questions are presented as an additional line of defense. However, you should consider the relative ease of obtaining some of the answers in today’s ultra-connected society.
Security researchers regularly deride security questions as lackluster . Can we have faith in a security measure whose answers can be so readily discovered?
I’m Doing It Wrong?
Attackers prey on the easy questions — colors, maiden names, first pets — because they’re easily obtainable through social media accounts . To make matters worse, if your account uses extremely specific questions and answers, an attacker can eliminate other potential passwords.
For instance, if the security question was “Where did you purchase your first car?” the attacker can immediately disregard other, easier answers.
I’m sure you’ve already twigged the obvious solution to this security problem. If the attacker is looking for an answer that directly relates to you, why not use something completely different?
- What is your mother’s maiden name? fa1c0npunc4
- Where did you meet your spouse? b1cycl3tyr3
- What was the name of your first pet? n0str0d4mu5
Okay, they’re terrible examples, but you catch my drift. If the answer is a) obscure and b) uses random characters, you’ll immediately set the security bar of your accounts that bit higher .
And That Will Make Me Safe?
Safer, friend, but not entirely safe.
You see, in 2015, Google published an interesting document exploring the lessons they have learned concerning security questions. Using their almost unrivalled data-set to analyze the secret questions given by their monumental user-base, they sought to understand just how effective this additional security layer is.
Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate.
Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.
Why do we attempt to lie, but then do it so badly? As your can see in the above chart, the majority of respondents provide false answers with the belief it will increase their security. We can then assume that the general public (albeit a tiny snapshot of an enormous database) do understand that the security questions can and will be used against them.
The Google research team ultimately conclude that security questions are either somewhat secure or easy to remember, but the golden combination is rare to find. Hence “while Google prefers SMS and email recovery, no mechanism is perfect.”
A Prime Example
Unfortunately, Google declined to offer the true size of the database used for the study. However, they confirmed that “the data considered contains hundreds of millions of data points and each question analyzed had over 1 million answers.” Substantial figures, considering their estimated user-base.
In 2016, United Airlines rolled out their new, updated security scheme for its customer accounts. The old system that relied on 4-digit PINs was rightly deemed unsuitable for accounts potentially containing hundreds of thousands of dollars of frequent flier miles. The updated system requires users to enter a unique password, as well as answer five personal security questions.
Sounds good, right? Except United Airlines ask their customers to pick a strong, unique password, and answer their questions using a preordained set of answers. That’s right: preordained answers. For example, if you choose the question “In what month is your best friends birthday,” your would-be attackers have — you guessed it — a mere twelve answers to battle through. Tough times.
United reason that “the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”
Security researcher Brian Krebs spoke directly to United Airlines director of IT security intelligence Benjamin Vaughn. Vaughn said the company “was randomizing the questions to confound bot programs that seek to automate the submission of answers, and that security questions answered wrongly would be ‘locked’ and not asked again.”
— Tracey Spicer (@TraceySpicer) October 19, 2016
As well as this, Vaughn confirmed to Krebs that multiple unsuccessful attempts would result in a locked account. Consequently, the user must directly communicate with United Airlines to unlock their account.
United Airlines identified a security vulnerability, but their answer didn’t entirely solve the issue. As we have seen, the only truly safe way to answer a security question is, much like a password, by providing something truly unique and random. This in the hope that potential hackers will be frustrated by the complexity, and move onto the next account.
The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.
If people can’t use security, they are not going to, and then we and our nation won’t be secure.
— Cognitive psychologist and Security Fatigue co-author, Brian Stanton
Alas, security fatigue is a very real problem. Users are increasingly tired. Security breaches and forced password resets are now so common, many users simply ignore alerts. This fatigue leads to risky user behaviour both at home and in the workplace. We suggest:
- Automate — Take control of your security, and automate scans, backups and more.
- Password Management — Password management solutions available in LastPass or KeyPass, and they both take care of your security questions, too.
- Take Ownership — Your data security is your responsibility. We have high expectations of the institutions holding our data, and rightly so. That said, if you do not impose strong security measures at home, you will share part of the blame.
We’ve written extensively about overcoming security fatigue . Give it a read, and take back control of your security questions!
How do you answer your security questions? Have you hit the sweet spot? Or do you use a password management app? Let us know your security question tips below!