Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

When password security questions aren't secure

Joe Kissell | Nov. 30, 2012
When you find yourself without access to one of your accounts, and after a few unsuccessful attempts at entering your password, the site locks out further access until you can confirm your identity.

When you select a password, you might choose to store it in a password manager, write it down, or commit it to memory (see How to remember passwords for some advice). Sometimes, however, things go wrong: You find yourself without access to your password manager, you lose the paper on which you recorded your passwords, or you forget a password you thought you memorized. Or maybe someone tries to break into one of your accounts, and after a few unsuccessful attempts at entering your password, the site locks out further access until you can confirm your identity.

In all those cases, online services need a secondary way of granting you access to your account or your data when you dont have (or cant use) your password. Sometimes especially in lower-security situations such as access to an online publication or discussion forum, the provider lets you click a link that results in your existing password, a new password, or password-reset instructions being sent to the email address you have on file. When those simple mechanisms are considered too insecure, the site may ask you to respond to verification questions for which youve previously provided the answers.

Unfortunately, password-reset messages and verification questions come with their own problems and risks. You can reduce your chances of being hackedor being unable to respond correctly to one of these questionsby following a few simple tips.

Prevent password-reset mischief

Of all your passwords, the one for your email account may be the most valuable. Thats because whoever has access to your email account will be able to read and click links in any password-reset messages you receive (such as when you click an 'I Forgot My Password' link). A hacker who guessed or stole just that one password could unlock many other accounts and do all sorts of damage. You can limit your risk here in a couple of ways.

Use a dedicated password-reset account: Consider setting up a new email account for yourself (using a free service such as Gmail) with an address that youll never share or post publicly. Use this account only when prompted to supply an email address for the purpose of verifying or resetting your passwords. That way, even if someone breaks into your main email account, the security of your other accounts wont be compromised.

Take extra care with your email account password: Be sure to choose an especially secure password for your email account. Make sure to set your email client to communicate securely with the mail serverusing Secure Sockets Layer, or SSL, protocols for exampleso that your password never travels over the air unencrypted. In Apple's Mail, select Mail > Preferences, click Accounts, choose an email account from the list, and click Advanced.  Here you'll see the option Use SSL.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.