Cyber Smarts Series: Are Website Security Questions Really Secure?
So-called security questions abound.
It isn’t enough that most people have difficulty selecting a secure PIN and password; most websites ask for three “security” questions that give users a false sense of safety.
Questions such as the year your father was born, your mother’s maiden name, your high school mascot, or the name of your favorite pet are supposed to protect your privacy. The fact is, that most of this information is readily available through social networking websites. If you use Facebook and are connected to your parents, siblings, children and the people you grew up with, you have probably divulged the majority of this information already. Though they may seem innocent enough, the questionnaires that become viral, such as the “twenty-five random things” and “mix-and-match names” notes have disclosed information that can easily be used in identity theft. The problem is that these questions are actually important. In the event that you forget your password or are locked out of a system due to a hacker’s attempt to break your identity, you will need to answer these questions correctly. And if the hacker gets there first and can answer the questions, they can hijack your account, change your email address, contact information and cause financial harm.
The Question is Half the Answer
Under normal scenarios, the question is more than half the answer. If asked the year your father was born in, the answer is a numeric value that is probably in the range of your birth year minus 25 to 35. Your mother’s maiden name is probably close to common knowledge, and there were probably only a handful of high schools in the town you grow up in.
How to Answer Non-secure Questions Securely
The solution is fairly simple. Don’t tell the truth. You are not taking a test, you are not being graded on your answers and nobody is going to verify the validity of your answers. All that is necessary is that you remember how you answered the questions. Follow these guidelines:
Don’t choose a year.
Since you normally get to select the questions, do not chose anything that involves a year. The practical range is between 1920 and 2020, thus 1/101 numbers. Much too easy for the attacker to guess.
Stick with character based answers
That leaves you with only character-based answers. Again, the question is irrelevant, just select a pass phrase that you can remember and answer all questions the same if the site allows you to. Yes, the same. That way it is easier for you to remember your cryptic answer. Maybe that seems simplistic, but let’s suppose that you select the questions that ask: (1) your high school mascot, (2) your maternal grandmother’s name and (3) the last name of your first boyfriend or girlfriend. All of these require character responses. Now think of a pass-phrase that is unrelated to your password, mix the cases and insert a special character or two. If there is a restriction on special characters, it need not compromise security. Say that you have never lived in Salt Lake City, but you have fond memories of the Olympics held there. Your password might be: oLymP1C5alT.
Use the phrase
Again, use this phrase to answer all of the questions. For certain websites, your answers may not be case sensitive – which is fine, these three potential answers are still relatively secure because they are obscure – and have nothing to do with the question being asked!
If the website requires unique answers, here is what you can do. Chose three questions with character based answers: Mother’s maiden name, Father’s middle name, and Your first Car. Come up with a pass phrase you can easily remember; my first car wasn’t electric, but I think the technology is cool. We’ll use plug in car, encoded [email protected], and add an M, F or C on the tail end. So my answers are [email protected], [email protected], and [email protected]
Try It Out
If you once had a 1969 Ford Mustang with V6 Engine