Don’t answer security questions

Those so-called “Security” questions are punching holes in your account defenses

 

Let’s say your friend puts a high-security deadbolt on his front door.  He then writes “Only for my mother” on an envelope, puts the key in it and tapes it on the door.  Would you feel comfortable storing your family silver at his house?  I’m guessing “no”.

Securing an account with a strong, unique password, and then using simple security questions & answers is not much better.

This article addresses account security questions and how you should use them.

Security is all about giving access to those who should have it and blocking access from those who shouldn’t.  With online accounts, we typically do this with passwords.  But what happens if you forget your password?  Online services often require you to provide answers to “security” questions when you create the account, so you can answer them to verify your identity in the future to get back into the account by resetting your password.  This is a great idea with an obvious flaw… what if you are not the only person who can answer those “security” questions.  Just as you can answer the questions to bypass the password and get into your account, a hacker who can research the answers can do so as well.

What are security questions?

They are the standard questions most online services require you to answer when you create an account.  Typical questions are “What is your mother’s maiden name?” and “In what city did you go to high school?”

 

Why are they insecure?

GENERIC ANSWERS

Statistically speaking most of your “unique” answers are not.  According to research done by Google, a hacker would have a 19.7% chance at guessing an English speaking users’ answer to the question “Favorite food?”  With 10 guesses, a hacker would have a 39% change of getting a Korean speaking users’ answer to “City of birth”.

 

RESEARCH

Many of the answers can be found by hackers by searching the Internet and social media.  If you post your birthplace on social media, then there’s a fair chance you went to school in the same city.  Your mother’s maiden name can often be found by a search into your ancestry.

 

BREACHES

Many accounts ask the same security questions.  When (it’s never “if”) another online service you use gets breached, hackers may get access to your answers there.  They can then use them to circumvent your security at the rest of your online accounts.

 

But I still have a password to protect me…

That’s the point.  You (and a potential hacker) can bypass the password by, instead, answering the security questions.  The security questions are, in fact, a master key that can be used instead of the password.

 

So, what should I do?

Option #1: Enter gibberish.  When I create local admin accounts for clients, I enter 35-50 strings of random characters.  I would prefer to not provide security answers, but I am forced to do so.  I feel completely safe that a hacker won’t guess the extremely complex “answers” to get into the account.

Option #2: Answer each security question uniquely (and incorrectly) for each account.  For instance, instead of entering Philadelphia for your hometown, enter “Amazon66774-Philadelphia” for your Amazon account.  You would then need to document this for yourself (preferably offline in a notebook, or in a password encrypted document stored locally.  Yes  Option #2 is much more tedious, so you may just want to go with Option #1.

 

But what if I enter gibberish answers and then forget my password?

Then use the “Forgot my password” option, and have a reset link sent to your email address or phone.

 

What if I can’t reset my password because I have lost access to my email address?

This is a big concern.  As we posted last month, securing your email account is about more than just protecting the privacy of your email messages.  So, if you answer your security questions with gibberish, you need to make sure that your email account is *very* secure.  But most reputable email accounts will allow you to add a cell phone number to instead get a reset link by text.  If yours does not, then you may want to think about getting a different email account.  Seriously.  Regardless of how you handle security questions, losing access to your email account will put most, if not all, of your online accounts at risk.  And if you lost access to your email account, you can’t get into your other accounts to redirect them to a new email address.

 

What if the account does not allow me to provide custom answers?

United Airlines (with whom I have a love/hate relationship) forces you to select from their list of questions.  For each question, you must select from their list of possible answers.  For instance, if you can select the question “What is your favorite style of music?”, you must then select from Rock, Jazz, Rap, R&B, etc..  This is the worst implementation of security questions because the number of combinations possible is quite limited.  The only way to make this even a bit more secure is to choose obviously wrong answers for yourself.

 

What should I do right now?

CHANGE ANSWERS ON EXISTING ACCOUNTS

Change the answers to the security questions of your current accounts.  As stated above, gibberish answers are the most secure.  If you don’t want to spend as much time doing this, do it at least for your most important accounts (especially your primary email account).

 

CLEAN UP YOUR SOCIAL MEDIA

If you have used such information in your security questions, then remove it from your social media.  If you’ve answered security questions with your correct hometown, then remove it from your Facebook page (and other social media accounts).

If you have questions about this, please let us know and we will be happy to assist you.
Take care,