Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google
What was your mother’s maiden name?
What was your city of birth?
What was the name of your first school?
I don’t know about you, but I always groan inwardly when a website asks such personal knowledge questions as part of their account password recovery process. Now Google have done the analysis for us by examining hundreds of millions of secret answers to such questions, and millions of account recovery claims. The data is really interesting, and confirms that yes, using personal knowledge questions for account recovery is not a great idea. As a result of this study, Google have de-emphasised the use of personal knowledge questions in their account recovery processes.
The study looks at vulnerability to online guessing attacks, where given that you have n guesses, λn represents the probability that you can guess the answer (ignoring any social engineering attacks etc.), and offline attacks where the attacker has gained access to the hashed answer database. Here the paper uses a metric G~α which captures the equivalent number of bits of information that would give the attacker an α probability of compromising a random user’s account.
Name-based questions turn out to have about equivalent security to a user-chosen PIN (much lower than passwords). Numeric questions, such as ‘what was your first phone number?’ do much better, but as we’ll see later, tend not to be answered honestly which greatly reduces their effectiveness.
To crack passwords, one simple technique is to try common passwords (moving on to dictionary attacks etc.). For name-based questions, information on common names (and surnames) is readily available! For example, the authors crawled 100M names from a public distribution of Facebook users and compared them to the answers to the questions ‘What is your father’s middle name?’, ‘What was your first teacher’s name?’, and ‘What was your childhood best friend’s name?’
What about questions where public information isn’t so readily available? For example, how do you guess the answers to ‘What is your favourite food?’ Using a crowd-sourcing service, the authors asked 1000 users to answer the ‘Favourite Food’ and ‘Father’s middle name’ questions. This took less than a day and cost $100. The crowd sourced distribution is very effective at guessing answers!
Using a single guess it turns out, you have a 19.7% chance of guessing an English-speaking users’ answer to the favourite food. (And what is the declared favourite food of 20% of the English-speaking population? We’re not told sadly!).
Questions that are supposedly more secure due to the expectation that each user will have a different answer (e.g phone number) in practice don’t exhibit a flat distribution because people provide untruthful answers. As a result the security of these questions is significantly lower than hoped. For example with a single guess an ideal attacker would have a success rate of 4.2% at guessing English-speaking users’ answers to the question “Frequent flyer number?”
One of the arguments in favour of personal knowledge questions is that people find their answers easy to remember. The data suggests this isn’t true to the degree that you might expect:
- Questions that are potentially more secure have worse recall than unsafe questions (e.g. Father’s middle name vs First phone number).
- Answer memorability decreases significantly over time (e.g. Favourite food).
- People supply made-up answers (a survey the team conducted to ask why they do this found that many people do so thinking it will make their answer more memorable or harder to guess), but made-up answers have significantly worse memorability.
The truth is that SMS and e-mail based recovery have a significantly higher chance of success (81% for SMS, 75% for email vs 61% (US/English questions) to 44% (France/French questions).
To close, here’s a curiousity the authors uncover: the ability of users to remember answers to secret questions seems to vary significantly by culture. The tabloid newspaper headline for this study could be: “New Google Study shows that Brits have worse memories than Americans!” And France, what’s going on with father’s middle names??