Helping people with computers... one answer at a time.
Secret questions used to recover lost or forgotten passwords are a common weak link in account security. I'll describe my hack-proof approach.
Account secret questions, more correctly referred to as security questions or password recovery questions, are often the weakest link in your overall security.
So often, in fact, that many compromises can be traced to an individual gaining access to the victim's account simply by guessing, or worse, knowing the answers to common security questions.
Forgetting the answers to security questions is also a very common reason that once-lost accounts often stay lost forever.
Let's review how security questions get used by hackers to gain access to your accounts, and one approach you can use to stop them cold.
•
How Security Questions Work
Security questions are intended to be a second level of information that can be used should you ever lose or forget your password. In many ways, they're just like passwords themselves.
When you set up your account the service will ask you one or more security questions to which you must provide an answer. That is then recorded and kept with your account. Common security questions ask you to provide your mother's maiden name, your high school mascot, your favorite pet, the model of your first car, and so on. The idea is that, like your password, these are things that only you would know; knowing the correct answers implies that you are indeed you.
When you lose your password, many systems simply ask you at least one of your security questions. After you answer them correctly, the system assumes that you are the rightful account holder and proceeds to reset or assign a new password to you.
In theory, it's not too bad of a system.
In practice, though, it's not that good of a system at all.
How Hackers Use Security Questions to Gain Access to Your Account
Take a look at those common security questions again:
- Your mother's maiden name
- Your high school mascot
- Your favorite pet
- The model of your first car
- ...
Or more specifically, recall the security questions that you were asked to create when you last set up an online account of some sort.
Now, ask yourself two questions about the answers to those questions:
-
Are you really the only person on the planet who knows the answers to those questions?
-
Are you absolutely positive that the answers to those questions can't be found anywhere by someone who might be looking?
I think you'll be surprised. I know I was in doing even just a little research on myself.
With the incredible rise in popularity of social media, folks are sharing more about themselves than ever before. Often, what you share publicly online can be used or combined to quickly and easily determine the answers to your secret questions by an experienced hacker.
And it's not just what you share; remember that I also asked if you were certain that no one else knew the answers. I'm betting that more people do than you realize. And all that it takes is for one of them to innocently use that information in some way. "I remember when we were young; Mary just loved her first cat. I think she called it Jasper....".
It doesn't take much to open the door just a crack.
And a crack is all that's needed.
A Hack-Proof Approach to Security Questions
There's nothing that says that the answers you provide when setting up your account have to make sense.
All that matters is that you provide the same answer when you're asked them again.
That's all.
That realization opens up a technique that is virtually hack-proof: make up nonsense answers.
|
You get the idea. Don't answer the question with the truth; make something up. Make it as unrelated to the question as possible. In fact, as in the last example above, you can even make it another secure password.
There's no way that anyone will know or guess the answers.
You do need to take extra care, however, in one important aspect.
Don't Forget the Answers
One of the advantages of answering the secret questions correctly is that these are things you know and are therefore easy for you to remember. The disadvantage, as we saw, is that the answers are often easy for others to know or guess, and therefore not as secure as we might think.
Even when people think they answer the questions correctly, I'm continually surprised at the number of people that permanently lose access to their accounts because they can't recall the answers.
"Don't forget the answers" applies no matter what approach you take.
In the case of nonsensical answers, of course, it might take an extra step, such as recording your answers for future reference in a safe and secure location. My solution is an Excel spreadsheet that I keep in an encrypted drive. Other encrypting solutions, including tools like Roboform, AxCrypt, and others, make sense as does writing down the answers and keeping them in a locked and secure place.
If you do use an encrypted solution on your computer, make sure that the data is backed up as well.
Article C4750 - February 26, 2011 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
March 5, 2011 10:30 PM
The easiest way to remember passwords is use a program like the free program Passwordsafe, that keeps all your passwords in an encrypted file. I now only have to remember one password. Even as senile as I am I can do that.
March 6, 2011 7:52 AM
The book "Perfect Passwords: Selection, Protection, Authentication" by Mark Burnett (ISBN-10: 1597490415, ISBN-13: 978-1597490412), devotes an entire section of Chapter 7 to the faults and pitfalls of "Secret Questions" in password recovery, and while the worst practices seem to have abated, much of what is written there remains as relevant today, as it was when it was first written way back in 2006.
By the bye, I myself was a very self-absorbed youth, and I very often find that the "Security Questions" I am offered online have no relevance to me at all! My high school's mascot? My first girlfriend's name? The model of my first car? My first child's first name? The year my grandfather was born?
Well, guess what folks?
I have no idea what the HS mascot was (or indeed if we even had one); I never had a girlfriend; I never owned a car; what makes these morons think I ever got laid, let alone had a kid (that's quite an assumption, if you stop to think about it. In fact, I wonder what the gays and nuns think about that question!); and as for my grandfather, he died before I was ever born, so I haven't God's own notion when he came into the world.
So now what?!
These so-called "Security Questions" will never be completely useable, until they can be made 100% relevant to everyone.
March 17, 2011 8:59 AM
I don't know if this also happens with the TrueCrypt volume. But I use a similar aproach using a password protected RAR file where I keep a file that has my passwords. However I have to rememeber to check/delete the temp files after every use, since the encrypted files are unzipped to the temp folder everytime I read them, and sometimes winrar won't delete them after I close it. This is something to be aware of in some protected files.
August 10, 2012 9:31 AM
My belief now is that the best most secure method of storing passwords is to Write them down on paper - do not store them on a computer file encrypted or otherwise.
I know - but if you think about it how can anyone access the bit of paper - a burglar? - they'll be looking for goodies not a sheet of paper!
August 23, 2012 9:14 AM
Sarcasm actually IS my high school mascot.