Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google.
A
white paper [PDF] called "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google" dug into the data of millions of users interactions with a range of password-recovering questions and concluded they were not only largely ineffective, but also a security risk.
The idea is a fairly logical one: to let someone access their account if they have forgotten their password, give them a question that is likely to be specific to an individual and use their answer to verify who they are.
The problem? We can't remember the answer most of the time, or we actually purposefully lie to ourselves and give the wrong answer in the belief that it will make the system more secure (not realizing of course that we will forget the fake answer all too quickly).
