Password Recovery Questions Make Online Accounts Vulnerable

Password recovery questions are great to recover a forgotten password in a matter of seconds. All that needs to be done is to answer the password recovery question to receive a new password in the inbox of the email associated with the account. This does however make email hacking a profitable business as email accounts are usually connected to online stores and other web services. Attackers with access to a compromised email account only need to answer the secret question to retrieve the password of the web account, which often is a lot easier than having to figure out the password itself. Sometimes, you do not even need to answer the security question to get the password reset request sent to the associated email account.

A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother's maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

Acquaintances of 32 webmail users – people with whom they would not normally share their login details – were asked to try and guess the answers users assigned to protect their accounts. The volunteers managed to guess correctly nearly a fifth of the time, raising questions over how secure the commonly used system is.

Password recovery questions should therefor not be answered honestly. Experienced users fill them out with password like characters which makes the answers more or less impossible to guess. These answers can then be stored in password managers as notes so that you retain the functionality should you ever come into the situation where you need to reset an account password.

How do you handle password recovery questions?

Update: Check out Security tip: do not answer security questions correctly for updated information and tips.