Backup-authentication schemes should have two important characteristics, Schechter says. They should be reliable, allowing a legitimate user to regain access to his or her account, and they should be secure, preventing unauthorized users from gaining access.
The study found that secret questions fall short on both accounts. Even for the most memorable questions–Yahoo’s, as it turned out–the participants forgot 16 percent of the answers within three to six months. Overall, one out of every five people forgot all of the answers to their secret questions, the researchers found.
“People tend to underestimate the likelihood of their forgetting some clever technique or glib answer,” Schechter says.
For most of a decade, security expert Bruce Schneier has criticized secret questions for their vulnerability to attack. In 2005, Schneier wrote, “I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it.”
Yet companies focused on reducing customer-service costs have introduced a back door into people’s accounts that is easier to circumvent than attempting to guess the password, he says. “The weird security thing that is being done is that there is a backup system to reset your password that is less secure than the system that it’s intended to support,” Schneier says.
Schechter agrees that researchers will have to find a completely different mechanism for backup authentication–secret questions just don’t cut it. “We would eventually like to see these questions go away,” he says. “Unfortunately, since we didn’t find many questions that were conclusively good, it’s hard to recommend simply changing questions.”
Schechter recommends not choosing questions that may have common answers. Schneier goes farther and says that he frequently just types in a random answer; if he needs to retrieve a password, he says, he will call the company.
Green, whose secret question asked the name of his high school, plans to use more secure e-mail in the future. And that may mean forgoing password retrieval. “Being able to reset my password on the site is nifty if I forget my password, but it sucks if someone else manages to figure out how to do it without my permission,” he says.