Online Security: Your 'Secret Answers' Are Too Easy to Guess

Ralph DeFrangesco

In a recent study by Microsoft and Carnegie Mellon University, researchers have found that the answers to the secret questions we use on Web sites to verify and protect our identity are fairly easy to guess. In a study involving 130 people, 28 percent of people that the participants said were trusted parties were able to guess the answers to the supposedly secret questions those participants use. Even people not trusted by study participants had a 17 percent chance of guessing the correct answer to the secret questions. This research will be presented at the IEEE Symposium on Security and Privacy this week.


I think the problem goes much deeper. I made a quick list of accounts that the average person could conceivably have:


  • Work login
  • Personal e-mail
  • LinkedIn
  • Facebook
  • Library account
  • Cell phone
  • Kids' school
  • Your school
  • Bank account
  • 401k account


Let's face it, there could be many more and your situation may vary, but this is a good starting point. How do you remember the login and passwords for all of these accounts? Do you write them down? Do you use the same login and password for all of them?


Most people do rely on those secret questions. I have to say that I am not a fan of the "canned" secret questions. When you only offer a handful of questions, it increases an attacker's chances of guessing the correct answer. A quick Internet search on most people could reveal information that an attacker could use against them. I think the sites that allow you to create your own secret questions are far better. I would like to hear your opinion. Do you use the same questions for the majority of your accounts?


For more information on how to create better passwords, and how to create better password policies, see these documents available for download in the Knowledge Network:


Protecting Your Passwords

Enterprise Password Management Guide

Sample Password Policy

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
May 27, 2009 9:04 AM Someguy Someguy  says:

I agree these security questions and answers are not secure.  Not only can they be guessed, but they are also vulnerable to phishing, keyloggers and man-in-the-middle attacks.  These questions raise the bar, but are no match for profit driven criminals whos' occupations are stealing your money or identity.  It's time for all online users to demand better security from sites that hold sensitive information, and I include email providers in that category.  Many companies these days use email for security responses, password resets, etc., but the email providers (Yahoo!, Gmail, Hotmail, etc.) have poor security.  If a hacker keylogs your bank login, what's the chance he has your Gmail login too?  Demand stronger security!!

May 27, 2009 9:20 AM Fabrice Pati Fabrice Pati  says:

As an "experimented" web user, I would tend to agree that I could personnaly get more security from websites where I can choose my own secret questions.

However, as a security specialist, I would disagree with the statement that websites that offer this capability are far better.

Indeed, we figured out at several occasions that most "average" users (by average, I mean not "security"-educated) would use these personnalised secret questions to store very simple questions. Worse, if the website does not apply any control on these questions, the user could store his password in the answer, or use the same word/sentence as question and answer (I already saw both scenarios).

This is the reason why most financial companies choose not to use these custom questions. But the biggest challenge is definitively to provide your users with a comprehensive list of preset questions that will be:

- useable by most of your user community (not all of them are married or have children);

- not too obvious (questions for whose answers can be found to easily are not secured, such as "Where are you born?")

- not too generic ("what is your favorite pet" will give "cat" for around 45%, "dog" for another 45%, and then 10% shared between other pets);

- immutable, because a user may not remember what was his "favorite song, movie or actor" at the time he set his answers!

Of course, with some education, people could provide more secure answers ("sea blue" instead of "blue" for "favorite colour" for instance). But again, average users have no idea of the risks!

An interesting alternative to the regular Secret questions has been described at Google TechTalks last summer:



May 27, 2009 5:59 PM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Someguy


Thank you for taking the time to respond. I totally agree with your way of thinking. I think we need something more to hold these people accountable than to just demand better security. I think government has to step up and start fining these companies for poor security.


May 28, 2009 3:44 PM manuel Morales manuel Morales  says:

You can't let users pick there own questions.  Users normally want the easy way out and would pick simple questions.  (E.g. that is why we have password rules, if not, all passwords would be XXXXX).  As security professionals we over think and forget who are the customers.  You can make security work by education, and strong preventive measures, and customer accountability.  We must balance security with business objectives.  We can't be paranoid about every type of attack.  Its all about the level of risk a business wants to accept.

Jul 14, 2009 7:51 PM BillyAndrews BillyAndrews  says:


I agree with you as well, better security is what every online consumer needs. For convenience, all of us do our businesses, purchases or any transactions or subscriptions online and most of us have experienced being a victim of scams. By being educated about online safety or security, we can all avoid these monsters of the online world. You may also want to check this article: http://www.articlerich.com/Article/Safety-in-the-World-of-Warcraft/561559


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.