Using secret questions to access passwords that we have forgotten is not as safe, according to a new Google study.
A whitepaper [PDF] called "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google" investigationsusing the data of millions of users concluded that this practice is not only ineffective, but also endangers the security of the accounts.
The idea seems quite reasonable: if someone has forgotten his password, he can recover it with a question that the answer is supposed to know only him.
The problem; Most of us cannot remember the answer because many times we have lied to ourselves in the belief that we will do the system more safe. Of course at that moment they don't realize, that they will forget the fake answer very quickly.
Another study report: What we think is our favorite food today may have changed when you try to retrieve your password query. If asked after a month, there are 74% chances to remember. If asked after three months the chance to remember the answer is fifty-fifty.
So what's the best question to remember? The city of birth, according to Google employees, with a total 80,1% success rate. The second best is your father's name.
But the researchers point out that these questions (and many more) are inherently unsafe, since it is quite easy for others to obtain this information if they have your name.
The study also presents some interesting statistics on how easy it can be to guess the answers. For example, with just 10 efforts one can guess correctly the 39% of a city in Korea (for asking the city you were born), as there are not many major cities in Korea.
Similarly, if you use your father's name is not so safe.
So what is the ending?
Two things:
First, we humans remain pretty stupid, while at the same time we think we are very smart.
Secondly, the best solution is to use SMS or e-mail to retrieve passwords if it suits the company's target (data collection)
"Secret questions can be used when combined with other measures," the study said.