Google publishes a question that gives question marks on the safety and convenience of "secret question"

ByVal.pearl

There are many "secret question" prepared only by the person of the person who knows the answer only in case of forgetting the password by google service such as google and there are not many who set the answer seriously , Google independently analyzed the enormous amount of data, which resulted in the question of a question mark on the safety against this "secret question".

New research: Question on "secret question" - Google Developer Japan Blog
http://googledevjp.blogspot.jp/2015/07/blog-post_8.html

"Secret question" is like insurance for when you forget your password, so many people have set simple answers. However, the simpler the answer is, the more general awareness or the more easily acquired it is. For example, in English-speaking users, if you set the answer to the question "What is your favorite food?" As "pizza", there is also a 19.7% chance of getting answered at once.


Then, the probability that the answer is hit 10 times instead of 1 time is that the probability that the answer to the question "Are you the first teacher?" For the user in the Arabic-speaking area is 24%. The probability of being given the answer of "Dad's middle name?" Set by the Spanish speaking user is 21%, and the probability of getting hit if the Korean-speaking user's "What was born city?" Is 39% There is. In other words, if the answer options are limited, there is a possibility that the "secret question" will be broken.


Also, Google's survey shows that 37% of users answer secret questions, who set answers to lie that is different from the actual one. Although it seems to set the answer of the lie to make it difficult to guess the answer, in fact it is likely that the answer of the lie tends to be the same answer as other users, and that the probability of being illegally logged is rather high .


On the contrary, if you answer "secret questions" difficult, what will be more likely to be forgotten by the user this time. For example, in the case of English-speaking users, 40% of the users have forgotten the answer to the secret question. However, 80% of the 40% of users who forgot the answer of "secret question" can remember the simple code for resetting the password received by SMS of the mobile phone It was. In other words, simple words and codes are hard to forget, but they tend to forget to become difficult words and chords.


With 22% and 9% of the total users who could properly remember the answers to the question "What is the number on the library card" and "What is the mileage number?", It is difficult to use difficult answers I understand well.


If there are risks for simple answers and difficult answers, there is a way to increase the number of questions and answers. If you have to answer two questions with 79% of the probability that the user can remember the answer, "Which city was born?" And 74% "What is your middle name?"


It turns out that the probability that the user recalls both answers falls to 59%. Although the probability that a hacker can correctly answer both questions in ten times is quite low as 1%, the probability that the user can remember the answer is also lower, it seems that it can not be said that the balance between security and convenience can not be said to be balanced .


Based on the results of this survey, Google clearly states the countermeasure "You should keep the information for recovering accounts including secret questions and answers all the time up to date". Other than that2 step verificationThere is also a way to strengthen the security of accounts such as, so it would also be nice to try people who want to prevent unauthorized logins.