How Secure Are Your Security Questions?
AbstractMany websites ask you to answer "security questions," like "What is your mother's maiden name?," to recover your account if you ever forget your password or login ID. However, sometimes the answers to those questions are easy to find online. Does this pose a risk to the security of important accounts like email and online banking? Are people even aware that this information about them is available online? In this project, you will investigate how secure people think security questions are, and compare that to the reality of how easily you can find answers to these questions online.
ObjectiveDetermine whether you can look up publicly available information about a person online, to find answers to common account security questions.
Have you ever forgotten a password? How many do you have? You have probably heard that you should avoid easily-guessed things like "password" or "123456" for your passwords, and that you should use a different password for every website, social media, gaming, school, or other online account you have. That is a lot of passwords to remember! Inevitably, sometimes people will forget passwords and need a way to authenticate, or verify, their identity in order to get back into their accounts. Some websites let you do this by answering a series of security questions, questions that ask about personal information that supposedly only you should know. If you can correctly answer all of the questions, then the website assumes it is really you and not someone impersonating you, and will restore access to your account.
However, many questions might be simple for someone else to answer. What is your mother's maiden name? What was your first pet's name? What is your favorite band? Your close friends and family might be able to answer those questions easily. Even someone who does not know you at all might be able to easily guess or find the answers to the questions. They could try a common answer like "pizza" or "ice cream" for "What is your favorite food?," check out your profile on social media sites like Facebook to find out what city you were born in, and use Google to look up public government records or a family tree website to find your parents' names. This would allow them to go to a website (like your email or social media account), click the "I forgot my password" link, and then answer the security questions to gain control of your account. The results of getting hacked can range from embarrassing (someone could view or share your personal emails or pictures) to causing financial loss (adults can have their credit card numbers or bank account information stolen).
So, it turns out that picking good security questions—and answers—is just as important as picking a good password. A strong password does not do you much good if someone can easily figure out all the answers to your security questions, but many people might not give these much thought. They might just pick a few that they know will be easier to remember, or they might not be aware of how much information is available about them online. In this project, you will survey people to find out if they think the answers to some common security questions about them are publicly available online, then try to find the answers yourself. Do you think people will be surprised by the results?
Terms and Concepts
- Security question
- White hat
- Black hat
- Do you use any websites that use security questions to authenticate your account? If so, what are some of the questions? How hard do you think it would be for someone to guess or look up the answers to your questions?
- What type of information do you post about yourself online (for example, social media profiles)? How much control do you have over this information and who can see it?
- Is there any information about you online that you do not have direct control over? For example, does your name appear on a school or sports team website, or in a news article?
- What types of information might be available about other people online? For example, adults might have public documents or government records that kids would not have, like a marriage license or the deed to a house.
- Do you think people are aware of how much information is publicly available about them online?
This article gives a general overview of the problems with security questions:
- Newman, L. (September 28, 2016). Time to kill security questions—or answer them with lies. Wired. Retrieved August 10, 2017.
This study by Google reports the effectiveness of security questions (referred to as "personal knowledge questions"). Even if you do not understand the entire report, it will be helpful if you read the abstract and sections 1 and 2.
- Bonneau, J. et. al. (2015). Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. Proceedings of the 22nd international conference on the World Wide Web. Retrieved August 10, 2017.
This report is a very detailed survey about social media use by teenagers. Part 2 discusses what type of information teens post about themselves online and the privacy settings they use.
- Madden, M. et. al. (May 21, 2013). Teens, Social Media, and Privacy. Pew Research Center. Retrieved August 10, 2017.
Materials and Equipment
- Internet access
- Study volunteers (at least 10). See this page about sample size and margin of error for projects involving surveys.
Working with Human Test Subjects
There are special considerations when designing an experiment involving human subjects. Fairs affiliated with Regeneron International Science and Engineering Fair (ISEF) often require an Informed Consent Form (permission sheet) for every participant who is questioned. Consult the rules and regulations of the science fair that you are entering, prior to performing experiments or surveys. Please refer to the Science Buddies documents Projects Involving Human Subjects and Scientific Review Committee for additional important requirements. If you are working with minors, you must get advance permission from the children's parents or guardians (and teachers if you are performing the test while they are in school) to make sure that it is all right for the children to participate in the science fair project. Here are suggested guidelines for obtaining permission for working with minors:
- Write a clear description of your science fair project, what you are studying, and what you hope to learn. Include how the child will be tested. Include a paragraph where you get a parent's or guardian's and/or teacher's signature.
- Print out as many copies as you need for each child you will be surveying.
- Pass out the permission sheet to the children or to the teachers of the children to give to the parents. You must have permission for all the children in order to be able to use them as test subjects.
Cybersecurity projects can be fun, but they can also get you in trouble if you are not careful. Make sure you follow these rules when doing a cybersecurity project:
- Do not attack any individual, computer, system, or network without consent from the individual (or person who owns the computer). For example, do not try to guess someone's email password and log into their account unless you get their permission first, or try to hack into a website without permission from the owner of the website.
- Even if you have consent to perform an attack, the attack should be for learning purposes only, and you should help the individual or organization fix any problems you find (this is known as "white hat" hacking). For example, if you are able to guess someone's password, you should tell them they need to pick a stronger password (and help them learn how). Do not read their emails, change any of their account settings, look at private information or files like pictures, or tell anyone else their password.
- If your project involves human subjects, even if you have their consent, you may still need approval from your science fair or an Institutional Review Board (similar to the rules for psychology or medical experiments). See this page for more information.
- Do not pretend to be a different person, company, or other organization online. This includes pretending to be someone else on a social media site, setting up fake websites designed to look like real websites from reputable companies, or sending "phishing" or other emails designed to look like they were sent by someone else. (A controlled experiment where only study participants have access to examples of such websites or emails would be OK.)
- Do not use data that was illegally obtained (for example, contact information stolen from a company's employee database), even if it was stolen by someone else and already posted online.
- Do not publicly post sensitive personal information, even if it was obtained with consent. For example, if your project involves accessing people's contact information (legally), do not post someone's name and address in the "Results" section of your science fair display board. You should destroy any such information (by shredding paper or deleting files) when you are done with your project.
- Do not install or run any malicious software (viruses, malware, spyware, trojans, etc.) on a computer that is connected to the internet. The software could easily spread to other computers and get out of your control.
If you have any doubts or questions about your project, check with your teacher or science fair administrator before you start.
- Gather volunteers for your project and get their consent to participate in a cybersecurity study. Your school or science fair may have specific rules you need to follow to obtain consent for an experiment with human subjects (see warnings at beginning of procedure). If not, you will need to design your own consent form using these guidelines. Ask your teacher for help if you are not sure how to do this.
- Your form should explain that you will attempt to look up answers to common website security questions, using information that is publicly available about the person online. You will not attempt to break in to any of their private online accounts (email, social media, etc.).
- You will ask participants to confirm if the answers you found are correct. They can choose not to answer if they are not comfortable doing so.
- You will not collect or look up any current contact information (like phone number or home address), or information that might give away their real name (like an email address).
- Data will be stored in an anonymous format. Participants' real names will not be connected to any of the information you find online, or their answers to questions about whether they expected that information to be available.
- Even though it is anonymized, data you collect on each individual will be destroyed after the project is complete. Aggregate data (totals for all participants in the study) will be preserved.
- Create a master list of your participants' names and anonymous ID numbers. You will destroy this piece of paper after you finish collecting data.
- Create or look up a list of 10 security questions.
- The questions should be about things that people would typically not hesitate to reveal in normal conversation. Do not ask for contact, financial, or otherwise confidential information (for example, do not ask for credit card numbers, social security numbers, current phone numbers, home address, or email address).
- Do a web search or look up the questions on some of the websites you use regularly if you need ideas.
- Note that questions may need to be different depending on whether you have recruited kids, adults, or both for your study. For example, questions like "Where did you get married?" or "What was the model of your first car?" may only work for adults.
- Design a survey form like the one shown in Table 1. You can make up or look up your own security questions; you do not need to use the examples in the table.
- Important: remember that you should not write the participants' names on the survey forms. Only write the anonymous ID numbers on the forms.
|Participant ID number:|
|Security Question||Answer you
Does the volunteer think
this answer is available
|Is the answer
|What is your mother's maiden name?|
|In what city was your father born?|
|What was your first pet's name?|
|What was your middle school's mascot?|
|What is your favorite band?|
- Try to look up the correct answer to each question for each participant online.
- You will need to use the participant's real name when searching for answers to the questions. Use your master list of names and ID numbers to look up real names when you need them, but remember not to write the real names on the survey forms.
- You can look up the answers in a variety of ways:
- Through a Google search, by browsing social media profiles, family tree websites, or news articles about the person.
- Look up public government records like birth certificates and marriage licenses.
- Make sure you try the same approach for each person, so your methods are consistent and reproducible (and you can describe them in the procedure of your science fair project).
- Avoid the temptation to "just Google it" and look at the first few results. Some sources of information, like individual social media posts or government records, might not appear very high in search results. You might need to go to a specific website (like a family tree site or a county government site) and search there.
- Different sources may be better than others for certain questions.
- Important: your goal is to find out what information is public about someone online. You may have access to extra (non-public) information if you are friends with someone on a social media site like Facebook. Before you start searching, you should log out of all social media sites, or use a web browser in private browsing mode. That will ensure that you only see public results.
- Record the answer you found and the source (copy the link if possible, or write down the name of the website) on the survey form for each participant. If you could not find an answer, specify that you could not find it.
- Interview each volunteer.
- For each question, ask the volunteer whether they think that information about them is publicly available online (meaning, can anyone—even someone they do not know in real life and are not friends with on social media—look up that information?).
- Inform the volunteer whether or not you found an answer. If you found an answer, tell the volunteer what you found (and where you found it) and ask if the information is correct (a yes/no answer is sufficient; they do not have to provide you with the correct answer if the answer you found is wrong).
- Record all results on your survey form for that volunteer.
- If the volunteer seems surprised or upset that certain information was publicly available online, discuss steps they could take to make that information private (for example, deleting a social media post or making a profile private). This is similar to the role that cybersecurity professionals play in the real world. Instead of using the information they discover for criminal purposes (known as "black hat" hacking), they report any vulnerabilities they find, and teach customers how to manage their own online privacy and security ("white hat" hacking).
- When you are done conducting all your interviews, shred your master list that matches names to ID numbers. This will ensure that your data remain anonymous for the rest of the project.
- Analyze your data.
- For each question:
- Tally up the results for all volunteers and fill out a table like Table 2. This table divides the volunteers into four categories:
- People who thought the answer would be online, and the answer was online.
- People who thought the answer would be online, and the answer was not online.
- People who thought the answer would not be online, and the answer was online.
- People who thought the answer would not be online, and the answer was not online.
- Make a bar graph of the four categories. Which of the four groups do you think faces the biggest security risk?
- Calculate the percentage of volunteers for whom you were able to find a correct answer online.
- Tally up the results for all volunteers and fill out a table like Table 2. This table divides the volunteers into four categories:
- Rank your questions from least secure (highest percentage of correct answers found) to most secure (lowest percentage) and make a bar graph of the results.
- Which question(s) had the biggest disparity between expectation and reality? Was there a question where most people thought the information would not be available online, but it actually was, or vice versa?
- Pretend that each study participant has an account with a website that uses the three least secure questions, and gave you one try to get the correct answer. If you were a hacker, what percentage of their accounts would you have been able to compromise (meaning, for how many could you get all three questions correct)?
- Repeat step d for the three most secure questions.
- For each question:
|Question:||Information actually available|
|Thought information would be available||Yes|
- Draw conclusions from your results.
- Do you think security questions are a secure way to recover an online account?
- Do you think websites should continue to use them, or switch to other methods for account recovery?
- Do you think the way a user chooses security questions and answers makes a difference?
- Important: as described in the Cybersecurity Project Warning, you must be careful how you handle data for this project, in order to protect the privacy of your volunteers.
- Make sure you shred the paper that links names and ID numbers. This will ensure that answers to specific security questions cannot be linked to one individual.
- Do not post copies of Table 1 on your science fair display board. Even though it does not list a real name, people may be able to guess the volunteer's identity based on their answers to the questions (for example, your friends might be able to guess each other's identities based on their favorite songs).
- It is OK to post Table 2 and the bar graphs described in step 8 on your display board, since those only show aggregate data (tallied for all volunteers) and not individually identifiable information.
- When you are completely done with your project, and you are sure you are done analyzing your data, you should shred all copies of Table 1. Check out the variations section before you do this, in case you would like to do any additional analysis of your data.
Ask an Expert
- There are many other aspects of security questions you can study. Read the publication by Google in the bibliography for some ideas. Here are just a few:
- Do people remember the answers to their own questions? Have participants give you their answers, and then ask them to recall the answers one day, one week, and one month later.
- How easy is it to guess correct answers to questions, even without searching online? For example, how often can you correctly guess someone's favorite TV show just by picking a show you know is popular with people their age? Did any of your volunteers have the same answers for some questions? Many websites will give you multiple tries to enter a correct answer, so how much easier is it to guess their answers if you get three guesses?
- How easily can friends, family members, or other acquaintances answer someone's security questions without looking online? Does this create vulnerabilities (for example, to a disgruntled coworker or a former friend)?
- How often do people give fake answers to security questions? Does doing this make the answers easier or harder to remember? Does it make them more or less secure?
- Instead of asking participants to answer yes/no to whether they think information will be available online, ask them to rate the likelihood that the information will be available on a 0–5 scale; or, ask them to rank your list of questions from easiest to hardest to answer. How well do their expectations match up with your results?
- Some websites have moved away from security questions toward other methods for account recovery. For example, they might send a one-time recovery code to you via text message or email, or let you identify several real-world friends on a social network who can help confirm your identity if your account gets hacked. How secure are these methods relative to security questions? For example, do they still work if you lose your phone?
If you like this project, you might enjoy exploring these related careers:
- Science Fair Project Guide
- Other Ideas Like This
- Cybersecurity Project Ideas
- Computer Science Project Ideas
- Sociology Project Ideas
- My Favorites