Although it is widely known that authentication via ‘secret’ questions is not secure, now we finally have statistical evidence to prove it. Microsoft Research and Carnegie Mellon University have conducted a study that measures how guessable answers to ‘secret’ questions are. The researchers looked at the questions used by AOL, Google, Microsoft, and Yahoo! in order to authenticate users who need to reset their forgotten passwords. The ability of users to memorize their answers was also questioned.The acquaintances of the account holder guessed the correct answer 17 percent of the time.

One doesn’t have to know the account holder personally to provide the correct answer to a secret question. It was found that 13% of answers could be guessed within 5 attempts with statistical guessing. There are lists of favorite things on the Internet. Some questions have a small set of answers. For example, there are not so many favorite colors or high school classes to choose from. There are questions that are the most vulnerable to statistical guessing attacks:

• What is your favorite sports team? (guessed 57 percent of the time, Yahoo!)
• What is your favorite town? (guessed 30 of the time, AOL)
• Who was your childhood hero? (guessed 28 percent of the time, Yahoo!)
• What make was your first car or bike? (guessed 25 percent of the time, Yahoo!)
• Favorite historical person (guessed 25 percent of the time, Microsoft)
• What is the name of your school? (guessed 23 percent of the time, AOL)

Sometimes users intentionally choose answers that are hard to guess. However, the study revealed that 20% of participants had forgotten their difficult answers within six months. Answers to Google’s ‘secret’ questions (primary frequent flyer number/library card number) were found to be the most immune to guessing attacks. At the same time, they are the most likely to be forgotten within 3-6 months.

Read the whole paper (PDF, 181 KB)