How Secure Are Secret Answers If You Forget A Password?

Remember the last time you created an account on some kind of website? You probably recall that you were asked to set a security question and a secret answer. Here's a brief explanation for those who know nothing about this. A security question is a measure used to authenticate users when they forget their passwords and/or logins. It can be used to add an extra layer of security upon login too, but, in most cases, users are asked to provide it during the password recovery procedure. These security questions ask something personal, for example, favorite sport, movie, childhood nickname, mother's maiden name, or school name attended in the 6^th grade, so, automatically, the secret answer is something only a user knows. Well, at least it should be like this.

Are security questions really secure?

You probably already know what password security is and how it is important to set complex passwords for all online accounts to prevent cyber attacks; however, have you ever wondered whether your secret answer is really secure? Security questions were introduced to strengthen accounts' security by preventing cybercriminals to reset passwords and then illegally log into these affected accounts, but some specialists say that they are far from being secure. According to them, they are, instead, a potential security loophole that might allow hackers to gain unauthorized access. Facebook, Google, and Microsoft are among companies that have already moved from security questions and secret answers to more superior options like asking a unique code from an authenticator, but a great number of firms still use them thus making cybercriminals' dirty job easier.

Despite the prevalence of security questions, no in-depth analyses had been conducted until Google analyzed hundreds of millions of security questions and secret answers combinations used for Google account recovery back in 2015. Ellie Bursztein, Google's anti-abuse research lead, and Ilan Caron, a software engineer, arrived at conclusion that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.” According to specialists, the main problem with secret answers users set for their accounts is that they are easy to remember or somewhat secure, but definitely not both. To put it simply, a secret answer cannot be both easily memorable and secure.

Users tend to choose the first variant, i.e. they usually set easy-to-remember answers and, as a consequence, make it a piece of cake for hackers to guess them. People share a bunch of personal details on social-networking websites these days, which makes it even easier for hackers to find information on targeted people. For example, we bet it would not be too hard for us to find your mother's maiden name, your father's middle name, or the name of the elementary school you attended if we closely inspected your Facebook Timeline. According to Google, about 16% of all secret answers can be found on social media. On top of that, every new data breach makes it easier to guess answers to security questions, specialists say.

Some secret answers can be guessed simply because they contain the commonly-known information. There is a 19.7% chance of cracking the answer to the question “What is your favorite food?” provided by English-speaking users, specialists say. It is no doubt pizza! Even worse, the study showed that some services use questions with a small pool of potential answers, for instance, “What is your favorite superhero?” Hackers can guess a secret answer to this question using the trial and error method, i.e. trying out all superheroes they know until they find the right one and can reset the account's password. The same can be said about culture-specific answers.

37% of Internet users believe that they will make it harder to guess their secret answers by providing false answers intentionally, but, actually, it turns out to be quite the opposite. That is, they end up setting the same secret answer a bunch of other users use, making it easier for hackers to bypass it. In other words, they tend to “strengthen” their answers in a predictable way. Additionally, another problem with these fictitious secret answers is that users cannot remember them after some time.

One more problem with security questions

There is probably no need to say it again – security questions are not the best security measure, but it is not the only reason they are doomed to disappear. Specialists say that they do not perform their main function. That is, they do not help people to recover their accounts because they simply cannot recall them when needed. According to Google's study, 40% of US-based users could not remember secret answers set in the unfortunate event of the forgotten password. Unfortunately, they are not easy to change too, which leaves users no other choice than to contact customer support.

What can I do to strengthen my account’s security?

Your ordinary password security is what you should pay attention to in the first place to improve your accounts' safety. To be more specific, you must set a secure password of a sufficient length (no less that 14 characters) consisting of a mix of upper/lower-case letters, numbers, symbols, and special characters (if possible) for your account. Additionally, if you are about to create an account on a website that still uses security questions, you should also make sure that your secret answer cannot be easily cracked.

First of all, your secret answer cannot contain information other people know. Second, make sure the answer you set does not have a limited number of possible answers, for example, a favorite color from the traditional color palette is one of the best examples of the weak answer that hackers can easily guess. Third, you should choose a secret answer that contains letters and numbers or at least consist of several words. Keep in mind that it cannot include any phone numbers, addresses, or birth dates. Last but not least, you should choose different questions and answers for different websites so that hackers could not gain access to all your accounts if they ever crack one account's secret answer.

There is no need to set a weak security question/answer combination just because you fear that you will forget it. Needless to say, by doing so you will considerably lower your account's overall security, so we would recommend using a trusted password manager like Cyclonis Password Manager to keep the set secret question/answer in the safe place. Speaking specifically, you could keep it in a password-protected note generated with the help of the password manager. Click here to find out how to do that.

All in all, accounts get hacked every day, and this is not going to change soon, so you must take care of your online security yourself. Improving your account's password security is what you should do in the first place. Additionally, since a weak security question and answer pair can provide cybercriminals unauthorized access to your account, you must always use secret answers people from the outside could not guess to add an extra security layer. If possible, turn on two-factor authentication for your account as well.