Latest Google research breaks the myth of using the fake responses in security questions; says it weakens the security
Google researchers conducted a new study on the security questions, we answer to protect our account. According to the research, users were found answering the security questions with fake responses, which were relatively more easy for the hackers to guess.
The abstract of the research suggests that our passwords are even stronger than the answers we provide to the security questions. There have been people admitting to the fact that they put fake responses to “Who is your father?” or “What place you live in?”. At about 37% users admitted to providing the fake answers, which not only weakens the account security but also raises the probability of forgetting them. There have been situations when we don’t remember the response to a particular question and get locked out of the account.
“We examine the first large real-world data set on personal knowledge question’s security and memorability from their deployment at Google. Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords,” Google said.
People live in an illusion that the real answers to the security questions are easy to get, and anyone can hijack their account by knowing it. However, by providing the fake answers they are actually weakening the account security and also increasing the risk of getting locked out.
Google stated that out of millions, nearly 40% users weren’t able to recall their security answers for the recovery. The success rate of this even lower than the SMS reset method, which has a degree that is somewhere near 80%.
However, on the flip side the questions such as “your first number” also fall into the category of worst memorability. Apparently, such questions also worsen the security posture for an online account.
Google said that it can be annoying to not know the answer, but its even worse when the account is vulnerable by using the fake responses.
Security is an important issue to handle. Internet companies, including Google and Facebook, spend billions on their employees and bug hunters collectively to make it safer place to use, however, no matter how secure the infrastructure is, a user is the one that breaks it. A human being is the weakest link inside a security posture, and hackers often exploit the vulnerability of this factor. Many successful attacks have only been carried out by methods that involve conventional phishing attacks.
So what are the remedies to this, increasing the complexity by adding more number of questions or by raising awareness among the users to not to use the fake passwords.