To quickly and easily recover access to an online account whose password has been lost, most sites still offer recourse to the famous secret question.
The principle is simple: when registering on a site, the user is invited to fill in an answer to a "secret" question (his maiden name, the first name of his first pet, his favorite country, his meal prefer…). When the user forgets his password, he can then recover it by correctly answering this famous question.
Everything worked relatively well before social networks came into play, since now it is more than likely that you have already provided these indications without even wanting to over your posts on Facebook and the like …
And even without social media, it has recently been shown that these "secret" questions do not allow enough original answers to be concentrated to be reliable. Google researchers have analyzed hundreds of millions of secret questions and their answers to recover their identifiers to Google accounts.
A small calculation of probability, and the report is obvious: hackers have a huge chance of guessing the answers by betting on basic terms. A hacker would therefore have a 19.7% chance of successfully guessing the answer used to the question " What is your favorite food". And just in case you're worried, the most widely used answer for this question is pizza.
To guess a city of birth from an account of a Korean speaking person, a hacker will have a 39% chance of aiming just after the 10th attempt.
And no question of feeling reassured by saying that we have chosen a false correct answer in an attempt to bias the system, since even in our choices of false answers, the redundancies are sufficiently significant to represent a security risk.
Paradoxically, the use of more complex questions and answers is not used by users, mainly because they are often more difficult to remember than the password that we are trying to recover … The loop is therefore closed.
One of the solutions would be to impose the answer to several questions, but again, it is the user who will find the process too cumbersome and who would also risk forgetting one of the answers chosen beforehand …
Finally the best thing to do would be to abandon this system and opt for a strong authentication based on the sending of an SMS. All that remains is to no longer lose your smartphone or telephone line.