Abstract: We examine the first large real-world data set on personal knowledge question's security and memorability from their deployment at Google.
Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords.
I mean, sure - if a user answers honestly I can easily see that "Mother's Maiden Name" is a lot easier than brute forcing a 15+ character password. Even if they lie and type a real name it's guessable. But, then comes the problem of "remembering" the lie which also tends to rule out typing random gibberish (unless of course the user then writes down the gibberish... which is a problem in its own =P).
Statistical attacks against secret questions are a real risk because there are common answers shared among many users. For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question "Favorite food?".
19.7% is pretty damn good - I wish someone would use it on me since I can't actually think of an answer to that question for myself =P
Direct link to the paper (.pdf)















