Which Password Recovery Question Is Most Secure?

Answers to your questions about the news.
June 7 2012 5:30 PM

Your Pet’s Name vs. Where You Met Your Spouse

What password recovery question is most secure?

Security Questions for Hotmail.
Security Questions for Hotmail.

A hacker claims to have accessed one of Mitt Romney’s personal email accounts on Tuesday by guessing the answer to the security question, “What is your favorite pet?” Sarah Palin’s email account was hacked in 2008 by an attacker who correctly guessed where the former Alaska governor met her husband (Wasilla High, of course). Which password recovery question should you choose to protect your account?

Your father’s middle name. That might not be the hardest question for a hacker to guess, but according to researchers at Microsoft and Carnegie Mellon University it has the advantage of being: 1) easy to remember for months or years; 2) relatively hard to find on the Internet; and 3) difficult for automated guessing programs to suss out. In 2009, the computer scientists tested these qualities in the password-recovery questions used by four leading webmail services (AOL, Google, Microsoft, and Yahoo!). “What is your father’s middle name?” performed well in the study, but wouldn't be so useful for celebrities like Palin and Romney, whose parents’ full names are widely available online. (Romney’s father’s middle name was Wilcken, and Palin’s father’s middle name is Richard.) The other top questions were:  “What was your first phone number?,” “Who was your favorite teacher,” and “Who is your favorite singer?”

Even the best password recovery questions can be pretty easy for cyber-intruders to answer. In the 2009 study, more than 40 percent of account-holders' acquaintances were able to guess the answers to “What is your pet’s name?,” “Where were you born?,” “Where did you grow up?,” and “What is your favorite sports team?” Anonymous hackers can improve their chances by figuring out where the account-holder lives—an elementary task in the age of social media.

Preference questions—e.g. "What is your favorite color?"—are more resistant to social media research, but might still be vulnerable to probabilistic guessing. You could guess almost anyone’s favorite color in four or five tries, and there aren’t that many professional sports teams in the United States. Preferences aren’t memorable, either. More than one in three participants forgot their answers to “Who was your childhood hero?” and “Who is your favorite historical person?” within a few months. Your favorite song, restaurant, or film can also change in the time it takes you to forget an email password.

You might be tempted to use a nonsense answer to throw hackers off. (Q: What is your favorite town? A: Asparagus.) This is a bad idea. You choose a security question when you set up an account, and likely won’t think about it again for months or years. Most people forget silly answers in that time. Certain email systems allow users to write their own questions instead, but these have their own problems. Internet users aren’t very imaginative and tend to fall back on the same old questions, like “What was your first car?” A few participants asked to generate their own questions for the 2009 study picked binaries, like “water or pop?” or asked questions that were easily guessed within five tries, such as “What is my blood type?” or “Who should the next president be?” Some people, apparently unaware that anyone could view the question, revealed personal information (e.g. “What is my sobriety date?”).

Got a question about today’s news? Ask the Explainer.

Explainer thanks Serge Egelman of UC-Berkeley.



The Democrats’ War at Home

How can the president’s party defend itself from the president’s foreign policy blunders?

Congress’ Public Shaming of the Secret Service Was Political Grandstanding at Its Best

Michigan’s Tradition of Football “Toughness” Needs to Go—Starting With Coach Hoke

A Plentiful, Renewable Resource That America Keeps Overlooking

Animal manure.

Windows 8 Was So Bad That Microsoft Will Skip Straight to Windows 10


Cringing. Ducking. Mumbling.

How GOP candidates react whenever someone brings up reproductive rights or gay marriage.

Building a Better Workplace

You Deserve a Pre-cation

The smartest job perk you’ve never heard of.

Hasbro Is Cracking Down on Scrabble Players Who Turn Its Official Word List Into Popular Apps

Florida State’s New President Is Underqualified and Mistrusted. He Just Might Save the University.

  News & Politics
Sept. 30 2014 9:33 PM Political Theater With a Purpose Darrell Issa’s public shaming of the head of the Secret Service was congressional grandstanding at its best.
Sept. 30 2014 7:02 PM At Long Last, eBay Sets PayPal Free
Sept. 30 2014 7:35 PM Who Owns Scrabble’s Word List? Hasbro says the list of playable words belongs to the company. Players beg to differ.
  Double X
The XX Factor
Sept. 30 2014 12:34 PM Parents, Get Your Teenage Daughters the IUD
  Slate Plus
Behind the Scenes
Sept. 30 2014 3:21 PM Meet Jordan Weissmann Five questions with Slate’s senior business and economics correspondent.
Brow Beat
Sept. 30 2014 8:54 PM Bette Davis Talks Gender Roles in a Delightful, Animated Interview From 1963
Future Tense
Sept. 30 2014 7:00 PM There’s Going to Be a Live-Action Tetris Movie for Some Reason
  Health & Science
Medical Examiner
Sept. 30 2014 11:51 PM Should You Freeze Your Eggs? An egg freezing party is not a great place to find answers to this or other questions.
Sports Nut
Sept. 30 2014 5:54 PM Goodbye, Tough Guy It’s time for Michigan to fire its toughness-obsessed coach, Brady Hoke.