Which Password Recovery Question Is Most Secure?

Answers to your questions about the news.
June 7 2012 5:30 PM

Your Pet’s Name vs. Where You Met Your Spouse

What password recovery question is most secure?

Security Questions for Hotmail.
Security Questions for Hotmail.

A hacker claims to have accessed one of Mitt Romney’s personal email accounts on Tuesday by guessing the answer to the security question, “What is your favorite pet?” Sarah Palin’s email account was hacked in 2008 by an attacker who correctly guessed where the former Alaska governor met her husband (Wasilla High, of course). Which password recovery question should you choose to protect your account?

Your father’s middle name. That might not be the hardest question for a hacker to guess, but according to researchers at Microsoft and Carnegie Mellon University it has the advantage of being: 1) easy to remember for months or years; 2) relatively hard to find on the Internet; and 3) difficult for automated guessing programs to suss out. In 2009, the computer scientists tested these qualities in the password-recovery questions used by four leading webmail services (AOL, Google, Microsoft, and Yahoo!). “What is your father’s middle name?” performed well in the study, but wouldn't be so useful for celebrities like Palin and Romney, whose parents’ full names are widely available online. (Romney’s father’s middle name was Wilcken, and Palin’s father’s middle name is Richard.) The other top questions were:  “What was your first phone number?,” “Who was your favorite teacher,” and “Who is your favorite singer?”

Even the best password recovery questions can be pretty easy for cyber-intruders to answer. In the 2009 study, more than 40 percent of account-holders' acquaintances were able to guess the answers to “What is your pet’s name?,” “Where were you born?,” “Where did you grow up?,” and “What is your favorite sports team?” Anonymous hackers can improve their chances by figuring out where the account-holder lives—an elementary task in the age of social media.

Advertisement

Preference questions—e.g. "What is your favorite color?"—are more resistant to social media research, but might still be vulnerable to probabilistic guessing. You could guess almost anyone’s favorite color in four or five tries, and there aren’t that many professional sports teams in the United States. Preferences aren’t memorable, either. More than one in three participants forgot their answers to “Who was your childhood hero?” and “Who is your favorite historical person?” within a few months. Your favorite song, restaurant, or film can also change in the time it takes you to forget an email password.

You might be tempted to use a nonsense answer to throw hackers off. (Q: What is your favorite town? A: Asparagus.) This is a bad idea. You choose a security question when you set up an account, and likely won’t think about it again for months or years. Most people forget silly answers in that time. Certain email systems allow users to write their own questions instead, but these have their own problems. Internet users aren’t very imaginative and tend to fall back on the same old questions, like “What was your first car?” A few participants asked to generate their own questions for the 2009 study picked binaries, like “water or pop?” or asked questions that were easily guessed within five tries, such as “What is my blood type?” or “Who should the next president be?” Some people, apparently unaware that anyone could view the question, revealed personal information (e.g. “What is my sobriety date?”).

Got a question about today’s news? Ask the Explainer.

Explainer thanks Serge Egelman of UC-Berkeley.

Brian Palmer is Slate's chief explainer. He also writes How and Why and Ecologic for the Washington Post. Email him at explainerbrian@gmail.com. Follow him on Twitter.