Google: Email Password Recovery Questions May Not Be Secure

Google: Email Password Recovery Questions May Not Be Secure


If you’ve ever registered for an email account on the likes of Gmail, Hotmail, Yahoo or AOL, you’ve probably been asked to select some answers to some security questions. But those email password recovery questions might not be secure enough to keep hackers out–but might be too strong for you to remember.

[Related: Google Employees Spend 20% of Work Time on Diversity Efforts]

According to a recent research report from Google, questions asked–such as “What is your favorite food?” “What is the name of your first pet?” and “What is your mother’s maiden name?”–were tricky enough to keep 40% of users who went through the password-recovery process out because they couldn’t remember the answers they chose.

Part of this has to do with users picking different answers than what they should actually be for the question, such as users using a telephone number when the question may ask for a frequent flier number, according to TechCrunch.

Google‘s report comes from numbers from millions of data-recovery attempts conducted through its Gmail service.

Also discouraging, according to TechCrunch, is how easy it was for hackers to obtain some information about users’ accounts. For example, it says, hackers were often able to guess that an English-speaking user’s favorite food was pizza, which is apparently the answer to that question used by some 20% of Google’s account holders. And, when looking at Spanish-speakers, the study found that with 10 guesses, hackers had a 21% chance of figuring out a user’s father’s middle name. Countries with populations living in a few large cities were likely to have easier-to-hack accounts when the security question involved asking where the authorized user was born.

There are some alternatives to passwords, but rarely is that the case for an email account, so that text has to be kept safe. But Google’s study encouraged the use of SMS password recovery, in which users would have their recovery code sent in the form of a text to their mobile phone. Provided a thief doesn’t also have your Android or iPhone, it could be yet another option to keeping your digital presence under lock and key.


×