Jump to main content
Science Projects

How Secure Are Your Security Questions?

1
2
3
4
5
101 reviews

Abstract

Many websites ask you to answer "security questions," like "What is your mother's maiden name?," to recover your account if you ever forget your password or login ID. However, sometimes the answers to those questions are easy to find online. Does this pose a risk to the security of important accounts like email and online banking? Are people even aware that this information about them is available online? In this project, you will investigate how secure people think security questions are, and compare that to the reality of how easily you can find answers to these questions online.

Summary

Areas of Science
Cybersecurity
Computer Science
Sociology
Difficulty
 
Time Required
Average (6-10 days)
Prerequisites
None
Material Availability
Readily available
Cost
Very Low (under $20)
Safety
No issues
Credits
Ben Finio, PhD, Science Buddies

Objective

Determine whether you can look up publicly available information about a person online, to find answers to common account security questions.

Introduction

Have you ever forgotten a password? How many do you have? You have probably heard that you should avoid easily-guessed things like "password" or "123456" for your passwords, and that you should use a different password for every website, social media, gaming, school, or other online account you have. That is a lot of passwords to remember! Inevitably, sometimes people will forget passwords and need a way to authenticate, or verify, their identity in order to get back into their accounts. Some websites let you do this by answering a series of security questions, questions that ask about personal information that supposedly only you should know. If you can correctly answer all of the questions, then the website assumes it is really you and not someone impersonating you, and will restore access to your account.

However, many questions might be simple for someone else to answer. What is your mother's maiden name? What was your first pet's name? What is your favorite band? Your close friends and family might be able to answer those questions easily. Even someone who does not know you at all might be able to easily guess or find the answers to the questions. They could try a common answer like "pizza" or "ice cream" for "What is your favorite food?," check out your profile on social media sites like Facebook to find out what city you were born in, and use Google to look up public government records or a family tree website to find your parents' names. This would allow them to go to a website (like your email or social media account), click the "I forgot my password" link, and then answer the security questions to gain control of your account. The results of getting hacked can range from embarrassing (someone could view or share your personal emails or pictures) to causing financial loss (adults can have their credit card numbers or bank account information stolen).

So, it turns out that picking good security questions—and answers—is just as important as picking a good password. A strong password does not do you much good if someone can easily figure out all the answers to your security questions, but many people might not give these much thought. They might just pick a few that they know will be easier to remember, or they might not be aware of how much information is available about them online. In this project, you will survey people to find out if they think the answers to some common security questions about them are publicly available online, then try to find the answers yourself. Do you think people will be surprised by the results?

Terms and Concepts

Questions

Bibliography

This article gives a general overview of the problems with security questions:

This study by Google reports the effectiveness of security questions (referred to as "personal knowledge questions"). Even if you do not understand the entire report, it will be helpful if you read the abstract and sections 1 and 2.

This report is a very detailed survey about social media use by teenagers. Part 2 discusses what type of information teens post about themselves online and the privacy settings they use.

Materials and Equipment

Experimental Procedure

Working with Human Test Subjects

There are special considerations when designing an experiment involving human subjects. Fairs affiliated with Regeneron International Science and Engineering Fair (ISEF) often require an Informed Consent Form (permission sheet) for every participant who is questioned. Consult the rules and regulations of the science fair that you are entering, prior to performing experiments or surveys. Please refer to the Science Buddies documents Projects Involving Human Subjects and Scientific Review Committee for additional important requirements. If you are working with minors, you must get advance permission from the children's parents or guardians (and teachers if you are performing the test while they are in school) to make sure that it is all right for the children to participate in the science fair project. Here are suggested guidelines for obtaining permission for working with minors:

  1. Write a clear description of your science fair project, what you are studying, and what you hope to learn. Include how the child will be tested. Include a paragraph where you get a parent's or guardian's and/or teacher's signature.
  2. Print out as many copies as you need for each child you will be surveying.
  3. Pass out the permission sheet to the children or to the teachers of the children to give to the parents. You must have permission for all the children in order to be able to use them as test subjects.
Cybersecurity Project Warning

Cybersecurity projects can be fun, but they can also get you in trouble if you are not careful. Make sure you follow these rules when doing a cybersecurity project:

  • Do not attack any individual, computer, system, or network without consent from the individual (or person who owns the computer). For example, do not try to guess someone's email password and log into their account unless you get their permission first, or try to hack into a website without permission from the owner of the website.
  • Even if you have consent to perform an attack, the attack should be for learning purposes only, and you should help the individual or organization fix any problems you find (this is known as "white hat" hacking). For example, if you are able to guess someone's password, you should tell them they need to pick a stronger password (and help them learn how). Do not read their emails, change any of their account settings, look at private information or files like pictures, or tell anyone else their password.
  • If your project involves human subjects, even if you have their consent, you may still need approval from your science fair or an Institutional Review Board (similar to the rules for psychology or medical experiments). See this page for more information.
  • Do not pretend to be a different person, company, or other organization online. This includes pretending to be someone else on a social media site, setting up fake websites designed to look like real websites from reputable companies, or sending "phishing" or other emails designed to look like they were sent by someone else. (A controlled experiment where only study participants have access to examples of such websites or emails would be OK.)
  • Do not use data that was illegally obtained (for example, contact information stolen from a company's employee database), even if it was stolen by someone else and already posted online.
  • Do not publicly post sensitive personal information, even if it was obtained with consent. For example, if your project involves accessing people's contact information (legally), do not post someone's name and address in the "Results" section of your science fair display board. You should destroy any such information (by shredding paper or deleting files) when you are done with your project.
  • Do not install or run any malicious software (viruses, malware, spyware, trojans, etc.) on a computer that is connected to the internet. The software could easily spread to other computers and get out of your control.

If you have any doubts or questions about your project, check with your teacher or science fair administrator before you start.

  1. Gather volunteers for your project and get their consent to participate in a cybersecurity study. Your school or science fair may have specific rules you need to follow to obtain consent for an experiment with human subjects (see warnings at beginning of procedure). If not, you will need to design your own consent form using these guidelines. Ask your teacher for help if you are not sure how to do this.
    1. Your form should explain that you will attempt to look up answers to common website security questions, using information that is publicly available about the person online. You will not attempt to break in to any of their private online accounts (email, social media, etc.).
    2. You will ask participants to confirm if the answers you found are correct. They can choose not to answer if they are not comfortable doing so.
    3. You will not collect or look up any current contact information (like phone number or home address), or information that might give away their real name (like an email address).
    4. Data will be stored in an anonymous format. Participants' real names will not be connected to any of the information you find online, or their answers to questions about whether they expected that information to be available.
    5. Even though it is anonymized, data you collect on each individual will be destroyed after the project is complete. Aggregate data (totals for all participants in the study) will be preserved.
  2. Create a master list of your participants' names and anonymous ID numbers. You will destroy this piece of paper after you finish collecting data.
  3. Create or look up a list of 10 security questions.
    1. The questions should be about things that people would typically not hesitate to reveal in normal conversation. Do not ask for contact, financial, or otherwise confidential information (for example, do not ask for credit card numbers, social security numbers, current phone numbers, home address, or email address).
    2. Do a web search or look up the questions on some of the websites you use regularly if you need ideas.
    3. Note that questions may need to be different depending on whether you have recruited kids, adults, or both for your study. For example, questions like "Where did you get married?" or "What was the model of your first car?" may only work for adults.
  4. Design a survey form like the one shown in Table 1. You can make up or look up your own security questions; you do not need to use the examples in the table.
    1. Important: remember that you should not write the participants' names on the survey forms. Only write the anonymous ID numbers on the forms.
Participant ID number:
Security Question Answer you
found online		       Source       Does the volunteer think
this answer is available
online? (yes/no)		 Is the answer
you found
correct?
What is your mother's maiden name?    
In what city was your father born?     
What was your first pet's name?     
What was your middle school's mascot?     
What is your favorite band?     
...     
Table 1. Example survey form.
  1. Try to look up the correct answer to each question for each participant online.
    1. You will need to use the participant's real name when searching for answers to the questions. Use your master list of names and ID numbers to look up real names when you need them, but remember not to write the real names on the survey forms.
    2. You can look up the answers in a variety of ways:
      1. Through a Google search, by browsing social media profiles, family tree websites, or news articles about the person.
      2. Look up public government records like birth certificates and marriage licenses.
      3. Make sure you try the same approach for each person, so your methods are consistent and reproducible (and you can describe them in the procedure of your science fair project).
      4. Avoid the temptation to "just Google it" and look at the first few results. Some sources of information, like individual social media posts or government records, might not appear very high in search results. You might need to go to a specific website (like a family tree site or a county government site) and search there.
      5. Different sources may be better than others for certain questions.
    3. Important: your goal is to find out what information is public about someone online. You may have access to extra (non-public) information if you are friends with someone on a social media site like Facebook. Before you start searching, you should log out of all social media sites, or use a web browser in private browsing mode. That will ensure that you only see public results.
    4. Record the answer you found and the source (copy the link if possible, or write down the name of the website) on the survey form for each participant. If you could not find an answer, specify that you could not find it.
  2. Interview each volunteer.
    1. For each question, ask the volunteer whether they think that information about them is publicly available online (meaning, can anyone—even someone they do not know in real life and are not friends with on social media—look up that information?).
    2. Inform the volunteer whether or not you found an answer. If you found an answer, tell the volunteer what you found (and where you found it) and ask if the information is correct (a yes/no answer is sufficient; they do not have to provide you with the correct answer if the answer you found is wrong).
    3. Record all results on your survey form for that volunteer.
    4. If the volunteer seems surprised or upset that certain information was publicly available online, discuss steps they could take to make that information private (for example, deleting a social media post or making a profile private). This is similar to the role that cybersecurity professionals play in the real world. Instead of using the information they discover for criminal purposes (known as "black hat" hacking), they report any vulnerabilities they find, and teach customers how to manage their own online privacy and security ("white hat" hacking).
  3. When you are done conducting all your interviews, shred your master list that matches names to ID numbers. This will ensure that your data remain anonymous for the rest of the project.
  4. Analyze your data.
    1. For each question:
      1. Tally up the results for all volunteers and fill out a table like Table 2. This table divides the volunteers into four categories:
        • People who thought the answer would be online, and the answer was online.
        • People who thought the answer would be online, and the answer was not online.
        • People who thought the answer would not be online, and the answer was online.
        • People who thought the answer would not be online, and the answer was not online.
      2. Make a bar graph of the four categories. Which of the four groups do you think faces the biggest security risk?
      3. Calculate the percentage of volunteers for whom you were able to find a correct answer online.
    2. Rank your questions from least secure (highest percentage of correct answers found) to most secure (lowest percentage) and make a bar graph of the results.
    3. Which question(s) had the biggest disparity between expectation and reality? Was there a question where most people thought the information would not be available online, but it actually was, or vice versa?
    4. Pretend that each study participant has an account with a website that uses the three least secure questions, and gave you one try to get the correct answer. If you were a hacker, what percentage of their accounts would you have been able to compromise (meaning, for how many could you get all three questions correct)?
    5. Repeat step d for the three most secure questions.
Question: Information actually available
Yes No
Thought information would be available Yes      
No      
Table 2. Example data table to tally the results for each question.
  1. Draw conclusions from your results.
    1. Do you think security questions are a secure way to recover an online account?
    2. Do you think websites should continue to use them, or switch to other methods for account recovery?
    3. Do you think the way a user chooses security questions and answers makes a difference?
  2. Important: as described in the Cybersecurity Project Warning, you must be careful how you handle data for this project, in order to protect the privacy of your volunteers.
    1. Make sure you shred the paper that links names and ID numbers. This will ensure that answers to specific security questions cannot be linked to one individual.
    2. Do not post copies of Table 1 on your science fair display board. Even though it does not list a real name, people may be able to guess the volunteer's identity based on their answers to the questions (for example, your friends might be able to guess each other's identities based on their favorite songs).
    3. It is OK to post Table 2 and the bar graphs described in step 8 on your display board, since those only show aggregate data (tallied for all volunteers) and not individually identifiable information.
    4. When you are completely done with your project, and you are sure you are done analyzing your data, you should shred all copies of Table 1. Check out the variations section before you do this, in case you would like to do any additional analysis of your data.
icon scientific method

Ask an Expert

Do you have specific questions about your science project? Our team of volunteer scientists can help. Our Experts won't do the work for you, but they will make suggestions, offer guidance, and help you troubleshoot.
Post a Question

Global Connections

The United Nations Sustainable Development Goals (UNSDGs) are a blueprint to achieve a better and more sustainable future for all.

This project explores topics key to Industry, Innovation and Infrastructure: Build resilient infrastructure, promote sustainable industrialization and foster innovation.

Variations

  • There are many other aspects of security questions you can study. Read the publication by Google in the bibliography for some ideas. Here are just a few:
    • Do people remember the answers to their own questions? Have participants give you their answers, and then ask them to recall the answers one day, one week, and one month later.
    • How easy is it to guess correct answers to questions, even without searching online? For example, how often can you correctly guess someone's favorite TV show just by picking a show you know is popular with people their age? Did any of your volunteers have the same answers for some questions? Many websites will give you multiple tries to enter a correct answer, so how much easier is it to guess their answers if you get three guesses?
    • How easily can friends, family members, or other acquaintances answer someone's security questions without looking online? Does this create vulnerabilities (for example, to a disgruntled coworker or a former friend)?
    • How often do people give fake answers to security questions? Does doing this make the answers easier or harder to remember? Does it make them more or less secure?
  • Instead of asking participants to answer yes/no to whether they think information will be available online, ask them to rate the likelihood that the information will be available on a 0–5 scale; or, ask them to rank your list of questions from easiest to hardest to answer. How well do their expectations match up with your results?
  • Some websites have moved away from security questions toward other methods for account recovery. For example, they might send a one-time recovery code to you via text message or email, or let you identify several real-world friends on a social network who can help confirm your identity if your account gets hacked. How secure are these methods relative to security questions? For example, do they still work if you lose your phone?

Careers

If you like this project, you might enjoy exploring these related careers:

Information Security Analyst
Log in to add favorite
Career Profile
Have you ever seen a story on the news about how a company or government agency was "hacked" and people's personal information, like names, addresses, or credit card numbers, was stolen? It is an information security analyst's job to prevent that from happening. Organizations hire information security analysts to analyze possible threats against their computer systems, which can range from malicious hackers trying to steal data to careless employees who accidentally forget to log out of a… Read more
Ethical Hacker
Log in to add favorite
Career Profile
In movies and in the media, computer hackers are often portrayed as the bad guys—criminals who steal money or important information. What if you could be a good hacker? Somebody whose job is to find security flaws in computer systems; but rather than exploiting them for personal gain, you help fix the problems before criminals can find them? That is what ethical hackers—also called "white hat" hackers—do. Companies pay them to intentionally try to break into their systems to… Read more
Security Incident Responder
Log in to add favorite
Career Profile
Security incident responders, also called intrusion analysts or incident response engineers, are like the "firefighters" of the cyber world. Companies can take steps to safeguard their computer networks and systems, but sometimes prevention is not enough and cyber attacks still happen. Sensitive data like customer credit card information can be stolen, entire websites could be brought down or altered, or personal contact information can be leaked. When this happens, incident responders must act… Read more
Technical Writer
Log in to add favorite
Career Profile
Have you tried to install new video-game software or connect a new printer to your computer? Doing something like this can be a little scary because of concerns about what may happen to your computer if you don't do it properly. So you read the instructions pamphlet that came with the software or printer and follow it step by step. Thankfully, the instructions are clear and you are successful with the installation! You can credit a technical writer for creating those helpful directions that… Read more
Web Developer and Designer
Log in to add favorite
Career Profile
Are you interested in how a website is set up and how the website runs? As a web developer and designer you could design a website's look and feel and create the code to make sure the website works. You could set up a website for your favorite store with payment options, making sure it works with the ever growing list of browsers and devices. Do you like working behind the scenes? You could design the layout or write the supporting code for an app or website while collaborating with other web… Read more

News Feed on This Topic

 
, ,

Cite This Page

General citation information is provided here. Be sure to check the formatting, including capitalization, for the method you are using and update your citation, as needed.

MLA Style

Finio, Ben. "How Secure Are Your Security Questions?" Science Buddies, 14 July 2023, https://www.sciencebuddies.org/science-fair-projects/project-ideas/Cyber_p007/cybersecurity/security-questions. Accessed 30 Apr. 2024.

APA Style

Finio, B. (2023, July 14). How Secure Are Your Security Questions? Retrieved from https://www.sciencebuddies.org/science-fair-projects/project-ideas/Cyber_p007/cybersecurity/security-questions


Last edit date: 2023-07-14

Explore Our Science Videos

Rubber Band Paddle Boat with Cardboard and Duct Tape
DIY Toy Sailboat
Dancing Candy Hearts
Quick Links X
Top
We use cookies and those of third party providers to deliver the best possible web experience and to compile statistics.
By continuing and using the site, including the landing page, you agree to our Privacy Policy and Terms of Use.
OK, got it
Free science fair projects.