Do security questions subvert passwords?

The manner in which security questions are used by a site, determines whether they undermine the supposedly stronger authentication mechanism (of using good passwords).

Typically, systems that allow access to users after they've answered a security question, are weaker than systems that would communicate a (temporary) password to the user via a (different and secure) channel. The previous statement conveys a best practice, and certain systems need not implement all of it; some systems would provide a new password (which need not be changed by a user), and there are other systems that would communicate the password via an insecure channel.

Filling a security question with random characters is not necessarily a good approach (although it is better than having a smaller answer with low entropy), for it would make it difficult to remember, resulting in a potential lock-out scenario (from where this is often no point of recovery). It should be remembered that security questions are often not changed periodically unlike passwords. The answer therefore depends on how well the answer is protected (both by the user and the system), how public the answer actually is, and how frequently can the question (and answer) be changed.

Reading this related StackOverflow question is recommended, for the answers discuss out-of-band communication, amongst other issues like the potential lock-out scenario.


Yes.

A better name for these "security" questions would be "convenience questions". They are an alternate way of accessing the same account, bypassing the password. Since answers to such questions are typically composed of existing words, they are the perfect target for dictionary attacks, or even just plain guessing. Things get even worse when the attacker has some personal details already.

The best you can do if you have to subscribe to something that presents a "security question" (and makes it mandatory) is indeed to just enter a really long sequence of garbage characters.


A 2015 study based on Google's deployment of personal knowledge questions contains a lot of evidence for the many problems with them: Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google

Some findings:

  • secret questions generally offer a security level that is far lower than user-chosen passwords
  • a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them "harder to guess" although on aggregate this behavior had the opposite effect as people "harden" their answers in a predictable way
  • secret answers have surprisingly poor memorability, with a success rate of 60%, vs 80% for SMS reset codes
  • questions that are potentially the most secure (e.g what is your first phone number) are also the ones with the worst memorability

They conclude that

it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.