In a new research paper, Google staffers found that those pesky security questions which are often used to help users recover passwords are one of the worst ways to protect online accounts. The company studied hundreds of millions of actual question-and-answer combos used by real Google users, and discovered people often choose obvious answers that are easy to remember — but also easy for hackers to guess.

For example, an attacker would have a 20% chance of guessing an English speaker’s answer to the question, “What is your favorite food?” by guessing “pizza” on the first try.

Even when users have hard-to-guess answers that are effective at keeping hackers out, it can be challenging for people to get into their own accounts. 40% of English-speaking U.S. users have failed to recall their answers to security questions, according to Google. When the questions are very difficult, such as asking for a person’s frequent flyer number, recall rate drops to 9%.

Some users try to be clever and make up fake answers to questions in hopes of boosting security, but that plan can also backfire. Google found 37% of people have given bogus answers to security questions, but these fake responses end up being so similar to each other in aggregate that they make it easier for hackers to guess the answers, not harder.

So, what’s the solution? Google advocates using authentication through SMS texting or alternate email addresses to boost security and help users recover lost passwords. These methods don’t rely on faulty human memory or our undying love of pizza. When using SMS as a recovery method, people are able to get back into their accounts more than 80% of the time, Google found.

[time-brightcove videoid= 3765906422001]