A new study is suggesting that lying about security questions such as the user giving a fake name about the father's middle name can actually make it easier for cyber criminals to break into anyone's email account.
Researchers from Google examined the process of how hard to make an intelligent guess about personal knowledge derived from security questions that are often used as key tools in order to regain access if the user forgets the password.
However, what the researchers found out was a bit alarming. According to a peer viewed paper that was presented at the International Conference on the World Wide Web in Florence last week, their analysis confirmed that secret questions apparently do not offer a higher security level compared to user chosen passwords.
This lack of security is surprisingly rooted from users who do not provide truthful answers to secret questions according to researchers.
According to lead author of the study Joseph Bonneau, the most common fake answers are more predictable than the real, truthful answers especially surnames. He also adds that answers like "Don't have one" or even "I don't' know" were especially ineffective.
Due to this growing problem with fake answers, this study reveals that a smart cyber attacker can increase his chances by 4.2 percent in guessing the answer of an English speaking user to the question "Frequent filer number?" in a single guess.
Bonneau is also a post doctoral researcher at Stanford University where he claims that his team already had a sense that these security questions were not able to provide the utmost security that is why his team wanted to confirm and provide evidence on this paper on how insecure and unreliable these security questions are in reality.
Over the the course of five years, the team observed trends and examined how easy it is to guess the answers to security questions. Researchers also tried to determine the best security questions that can generate equally secure answers like producing a set of possible, hard to guess answers which are likewise memorable.
However, Bonneau says that unfortunately, Google was not able to manage to find a question and an answer that will fit well for both of those criteria.
Although this study only observed trends for Google accounts, Bonneau believes that these findings can also be applied to other accounts that utilizes security questions or uses a system of questions that are similar.
Bonneau advises to make you account secure by avoiding fake answers such as "I don't know" or "Don't have one". He also says that having a backup apart from those security questions such as a letting Google send a recovery code via mobile phone is more safe.