Which Password Recovery Question Is Most Secure?

Answers to your questions about the news.
June 7 2012 5:30 PM

Your Pet’s Name vs. Where You Met Your Spouse

What password recovery question is most secure?

Security Questions for Hotmail.
Security Questions for Hotmail.

A hacker claims to have accessed one of Mitt Romney’s personal email accounts on Tuesday by guessing the answer to the security question, “What is your favorite pet?” Sarah Palin’s email account was hacked in 2008 by an attacker who correctly guessed where the former Alaska governor met her husband (Wasilla High, of course). Which password recovery question should you choose to protect your account?

Your father’s middle name. That might not be the hardest question for a hacker to guess, but according to researchers at Microsoft and Carnegie Mellon University it has the advantage of being: 1) easy to remember for months or years; 2) relatively hard to find on the Internet; and 3) difficult for automated guessing programs to suss out. In 2009, the computer scientists tested these qualities in the password-recovery questions used by four leading webmail services (AOL, Google, Microsoft, and Yahoo!). “What is your father’s middle name?” performed well in the study, but wouldn't be so useful for celebrities like Palin and Romney, whose parents’ full names are widely available online. (Romney’s father’s middle name was Wilcken, and Palin’s father’s middle name is Richard.) The other top questions were:  “What was your first phone number?,” “Who was your favorite teacher,” and “Who is your favorite singer?”

Even the best password recovery questions can be pretty easy for cyber-intruders to answer. In the 2009 study, more than 40 percent of account-holders' acquaintances were able to guess the answers to “What is your pet’s name?,” “Where were you born?,” “Where did you grow up?,” and “What is your favorite sports team?” Anonymous hackers can improve their chances by figuring out where the account-holder lives—an elementary task in the age of social media.

Preference questions—e.g. "What is your favorite color?"—are more resistant to social media research, but might still be vulnerable to probabilistic guessing. You could guess almost anyone’s favorite color in four or five tries, and there aren’t that many professional sports teams in the United States. Preferences aren’t memorable, either. More than one in three participants forgot their answers to “Who was your childhood hero?” and “Who is your favorite historical person?” within a few months. Your favorite song, restaurant, or film can also change in the time it takes you to forget an email password.

You might be tempted to use a nonsense answer to throw hackers off. (Q: What is your favorite town? A: Asparagus.) This is a bad idea. You choose a security question when you set up an account, and likely won’t think about it again for months or years. Most people forget silly answers in that time. Certain email systems allow users to write their own questions instead, but these have their own problems. Internet users aren’t very imaginative and tend to fall back on the same old questions, like “What was your first car?” A few participants asked to generate their own questions for the 2009 study picked binaries, like “water or pop?” or asked questions that were easily guessed within five tries, such as “What is my blood type?” or “Who should the next president be?” Some people, apparently unaware that anyone could view the question, revealed personal information (e.g. “What is my sobriety date?”).

Got a question about today’s news? Ask the Explainer.

Explainer thanks Serge Egelman of UC-Berkeley.


Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

Why Are Lighter-Skinned Latinos and Asians More Likely to Vote Republican?

A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

The XX Factor
Sept. 22 2014 12:29 PM A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

Subprime Loans Are Back

And believe it or not, that’s a good thing.

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

  News & Politics
Sept. 22 2014 6:30 PM What Does It Mean to Be an American? Ted Cruz and Scott Brown think it’s about ideology. It’s really about culture.
Sept. 22 2014 5:38 PM Apple Won't Shut Down Beats Music After All (But Will Probably Rename It)
Sept. 22 2014 4:45 PM Why Can’t the Census Count Gay Couples Accurately?
  Double X
The XX Factor
Sept. 22 2014 7:43 PM Emma Watson Threatened With Nude Photo Leak for Speaking Out About Women's Equality
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
Brow Beat
Sept. 22 2014 9:17 PM Trent Reznor’s Gone Girl Soundtrack Sounds Like an Eerie, Innovative Success
Future Tense
Sept. 22 2014 6:27 PM Should We All Be Learning How to Type in Virtual Reality?
  Health & Science
Medical Examiner
Sept. 22 2014 4:34 PM Here’s Where We Stand With Ebola Even experienced international disaster responders are shocked at how bad it’s gotten.
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.