Friday, 22 May 2015

Google Loopholes In Using Secret Question

Using only a secret question to reset a forgotten password is unsafe and should be avoided, as Google sets on the basis of own research ( pdf ). Many sites still use the secret question as a way for users to access their account if they have forgotten the login details. The problem of the secret question is that attackers can try to guess the answer and so to reset the password.

Thus, an attacker with the secret question of English users "what is your favorite meal" 19.7% chance to guess which one time. The answer is "pizza". With ten attempts an attacker 24% chance the question "what is the name of your first teacher" to answer in Arabic speaking users. With the same number of attempts an attacker 21% chance the question of Spanish speakers, "What is your father's middle name," to answer. In the case of Koreans make ten attempts a success rate of 39% on the question "what city were you born" and 43% with the question of what is the favorite food.

It also showed that many users had identical answers to secret questions which are believed to be correct very safe, such as "what is your phone number" and "what is your airmiles number". In this case it was found that 37% of people intentionally wrong information by filling out the idea that this makes the answer more difficult to guess. The research, which Google hundreds of millions of secret questions and answers analyzed, also shows that 40% of English speaking users the answer to the secret question no longer know if they have to fill.


According to the researchers, the study shows that the secret question really is unfit to reset passwords and websites as well as users should think carefully whether they want to use secret questions. Google says that the secret question not be used as a standalone way to reset passwords. Furthermore, should website owners use other authentication methods, such as SMS codes or a second email address. "That is both safer and easier to use," concludes Elie Bursztein Google.

No comments:

Post a Comment