Between utility bills, Netflix subscriptions, social media and other online accounts, it's easy to forget a username or password or two. So, users can often reset their passwords by answering security questions based on personal information like a favorite teacher's name -- but a new Google study says that method isn't so secure.
Stanford University's Joseph Bonneau teamed up with four Googlers to look at "millions" of password-recovery attempts, according to the study, which the blog TechCrunch first spotted Thursday morning.
Their conclusion: "Secret questions generally offer a security level that is far lower than user-chosen passwords." In fact, the team sees them as "neither secure nor reliable enough" to be a standalone way of recovering account information.
The problem is twofold: People either can't remember their security-question responses (37 percent of users said they entered "fake" answers in an attempt to make them difficult), or the answers to questions are so similar across users that they're easy for hackers to guess.
For example, an attacker has a 1 in 5 chance of guessing on the first try an English-speakers answer to "What is your favorite food?" Within 10 guesses, attackers are able to guess 39 percent of Korean speakers' birthplaces.
It's possible to add questions that are more secure but users have a hard time recalling the answers -- for example, only 9 percent of people in the Google study were able to remember their frequent flyer numbers.
Instead, Bonneau and the Googlers advocate for for text-message and email-based account recovery, which have a higher chance of success. But the researchers conceded those methods aren't foolproof -- for example, if someone is traveling overseas they may not be able to receive a text message.
And so, the password problem continues.