Security questions are a password you never chose

Published on by David Carrero

When a form asks for your mother’s maiden name, it isn’t asking you for a secret. It’s asking you for a line in a marriage register.

That’s the whole critique; everything else is footnotes. A security question is a password with three defects an ordinary password doesn’t have: you didn’t choose it, the answer is guessable because a lot of people give the same one, and it’s frequently written down somewhere you don’t control. In exchange it’s granted an enormous privilege: it can stand in for your password. It’s the back door to your account, and it’s flimsier than the front one.

This isn’t a hunch from the trade. It’s what Google measured.

The study nobody reads before designing the form

In 2015, five researchers — Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson and Mike Williamson — presented a paper at the WWW conference in Florence whose title says nearly all of it: Secrets, Lies, and Account Recovery. This was no lab study with thirty volunteers: they analysed hundreds of millions of secret answers and millions of real account recovery attempts.

The finding has two halves. Almost nobody tells you about more than one.

Half one: they get guessed

The paper’s threat model isn’t your nosy brother-in-law: it’s someone attacking accounts at scale who only needs to hit a fraction of them. Under that lens, the numbers change meaning.

With a single guess, an attacker would get 19.7% of English-speaking users’ answers to “What’s your favourite food?” One guess. The answer, in case there’s any doubt, tends to be the one you’re thinking of right now. With ten guesses they’d get 39% of Korean-speaking users’ answers to “What city were you born in?” And a single attempt lands 3.8% of Spanish speakers’ answers to the question Google served them, translated, as “What’s your father’s first surname?”

3.8% sounds like nothing until you remember the attacker isn’t attacking your account: they’re attacking a million. And you don’t need to be Google to build the list. The authors proved it: with just a thousand answers bought from a crowdsourcing service they built distributions between 75% and 80% as effective as the real one when making up to a hundred guesses. The experiment cost them $100 and less than a day.

The damning part is that questions designed to be unique don’t escape either. A frequent flyer number ought to be unrepeatable by definition; in practice, a single guess lands 4.2% among English speakers. The reason is glorious and we’ll come back to it: people lie, and they lie in herds.

Half two: they get forgotten

This is where the argument collapses entirely, because the only reason we still use security questions is the belief that they’re reliable. The premise was reasonable: remembering your home town ought to be easier than remembering xK4$mz. It isn’t. 40% of English-speaking US users could not recall their own answer when they needed it. They hadn’t forgotten it in the abstract: they were trying to get into their account and they couldn’t.

And then comes the perfect inversion, the one that should have killed this technology a decade ago. The more secure the question, the worse it’s remembered. Among that same population, “What’s your father’s middle name?” — a weak question — had a 76% success rate. “What was your first phone number?”, a good deal harder to guess, dropped to 55%. And the theoretically safest candidates sink: “What’s your library card number?” 22%, “What’s your frequent flyer number?” 9%.

Time finishes the job. For “What’s your favourite food?”, recall was 74% after a month, 53% after three months and barely 47% after a year. And recoveries don’t cluster at the start: the authors found that users are no more likely to recover an account early than late, so most people reach the question once the memory has already evaporated.

The authors’ conclusion doesn’t leave much room for reinterpretation: it appears to be nearly impossible to find secret questions that are both secure and memorable.

Lying doesn’t save you, it locks you out

The sensible reaction, once you understand the problem, is to lie: if they ask for your home town, answer “Reykjavik” and move on.

The paper measured that too, with a survey of the US population. Among those who admitted giving false answers, 37% did it to make life hard for an attacker, 15% to make the answer easier to remember — read that twice — and 31.9% for privacy, because they didn’t fancy handing their biography to a company.

The problem is that hardening an answer is a predictable gesture. That’s what the 4.2% on frequent flyer numbers is: a lot of people’s lies resemble each other far more closely than their truths do. And the bill comes due in the other half. US users who filled in “What was your first phone number?” with something seven digits long — a plausible answer — recalled it 55% of the time. Those who put in six characters, meaning those who made something up, managed 18%.

Lying without writing it down isn’t a security strategy. It’s throwing away the key.

The answer is filed at the county courthouse

Go back to your mother’s maiden name. It’s on a marriage certificate. It’s on your own birth certificate. It’s in the hands of every clerk, every records office and every genealogy site that has ever scraped one.

This isn’t a hypothetical. The paper itself cites a study by Griffith and Jakobsson that derived that surname for at least 30% of Texas residents from public birth and marriage records; and Rabkin, who found that 16% of the questions used in practice had answers routinely listed on public social media profiles.

A fact recorded in a register and displayed on your profile is not a shared secret. It’s public information with a password box in front of it.

What to do with the form that forces you

Sometimes there’s no way out: the bank demands three questions and you can’t continue without them. In that case, stop treating them as questions and treat them as what they are.

  • Answer with a password, not with your life. “What city were you born in?” can be answered with a random string from the generator, or with a phrase you’ve run through the checker first. It’s the only answer that isn’t on file anywhere.
  • Save it in your password manager, on the same entry as the site. This isn’t optional: it’s exactly the difference between 55% and 18% recall. The lie only works if you keep it.
  • If the service lets you pick another recovery method, pick it. In Google’s data, SMS worked 81% of the time and email 75%, against 61% for secret questions among English-speaking US users — and only 44% among French ones.

Google acted on its own data with the numbers in front of it: it demoted secret questions to a last resort, always paired with other signals. What the paper recommends is that they never be used alone.

Eleven years on, your insurer still asks for the name of your first pet. Answer it with sixteen random characters. It has it coming.


Sources: J. Bonneau, E. Bursztein, I. Caron, R. Jackson and M. Williamson, “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google”, WWW 2015, Florence · V. Griffith and M. Jakobsson, “Messin’ with Texas: Deriving Mother’s Maiden Names Using Public Records”, ACNS 2005, and A. Rabkin on security questions in practice, both cited in the former.

← Back to the blog