Helping people with computers... one answer at a time.
Secret questions used to recover lost or forgotten passwords are a common weak link in account security. I'll describe my hack-proof approach.
Account secret questions, more correctly referred to as security questions or password recovery questions, are often the weakest link in your overall security.
So often, in fact, that many compromises can be traced to an individual gaining access to the victim's account simply by guessing, or worse, knowing the answers to common security questions.
Forgetting the answers to security questions is also a very common reason that once-lost accounts often stay lost forever.
Let's review how security questions get used by hackers to gain access to your accounts, and one approach you can use to stop them cold.
Security questions are intended to be a second level of information that can be used should you ever lose or forget your password. In many ways, they're just like passwords themselves.
When you set up your account the service will ask you one or more security questions to which you must provide an answer. That is then recorded and kept with your account. Common security questions ask you to provide your mother's maiden name, your high school mascot, your favorite pet, the model of your first car, and so on. The idea is that, like your password, these are things that only you would know; knowing the correct answers implies that you are indeed you.
When you lose your password, many systems simply ask you at least one of your security questions. After you answer them correctly, the system assumes that you are the rightful account holder and proceeds to reset or assign a new password to you.
In theory, it's not too bad of a system.
In practice, though, it's not that good of a system at all.
Take a look at those common security questions again:
Or more specifically, recall the security questions that you were asked to create when you last set up an online account of some sort.
Now, ask yourself two questions about the answers to those questions:
Are you really the only person on the planet who knows the answers to those questions?
Are you absolutely positive that the answers to those questions can't be found anywhere by someone who might be looking?
I think you'll be surprised. I know I was in doing even just a little research on myself.
With the incredible rise in popularity of social media, folks are sharing more about themselves than ever before. Often, what you share publicly online can be used or combined to quickly and easily determine the answers to your secret questions by an experienced hacker.
And it's not just what you share; remember that I also asked if you were certain that no one else knew the answers. I'm betting that more people do than you realize. And all that it takes is for one of them to innocently use that information in some way. "I remember when we were young; Mary just loved her first cat. I think she called it Jasper....".
It doesn't take much to open the door just a crack.
And a crack is all that's needed.
There's nothing that says that the answers you provide when setting up your account have to make sense.
All that matters is that you provide the same answer when you're asked them again.
That realization opens up a technique that is virtually hack-proof: make up nonsense answers.
You get the idea. Don't answer the question with the truth; make something up. Make it as unrelated to the question as possible. In fact, as in the last example above, you can even make it another secure password.
There's no way that anyone will know or guess the answers.
You do need to take extra care, however, in one important aspect.
One of the advantages of answering the secret questions correctly is that these are things you know and are therefore easy for you to remember. The disadvantage, as we saw, is that the answers are often easy for others to know or guess, and therefore not as secure as we might think.
Even when people think they answer the questions correctly, I'm continually surprised at the number of people that permanently lose access to their accounts because they can't recall the answers.
"Don't forget the answers" applies no matter what approach you take.
In the case of nonsensical answers, of course, it might take an extra step, such as recording your answers for future reference in a safe and secure location. My solution is an Excel spreadsheet that I keep in an encrypted drive. Other encrypting solutions, including tools like Roboform, AxCrypt, and others, make sense as does writing down the answers and keeping them in a locked and secure place.
If you do use an encrypted solution on your computer, make sure that the data is backed up as well.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.