Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

When password security questions aren't secure

Joe Kissell | Nov. 30, 2012
When you find yourself without access to one of your accounts, and after a few unsuccessful attempts at entering your password, the site locks out further access until you can confirm your identity.

Question the questions

Security questionssuch as the timeless classic What is your mothers maiden name?are supposed to have answers that youll never forget but that most other people wont know or be able to guess. Unfortunately, most of the questions from which you can choose arent secure at all.

Your mothers maiden name is a matter of public record, and nearly anyone can learn it online in a few minutes. If you ever wrote a blog entry or a Facebook post about your first pet, your favorite teacher, or other common security question topics, those facts are in the public domain too. To make matters worse, some questions invite ambiguous answers, which could work against you. Where did you meet your spouse? That might be in New York or at a baseball game or at Yankee Stadium, for example. Years from now, will you remember which answer you gave?

Devise memorable lies: To address such problems, theres only one right way to answer verification questions; lie. And dont just lie, but come up with one or more answers that follow the same rules as other passwords to prevent guessability; use either a reasonably long (but memorable) phrase or a series of random characters. So, what was the name of my first pet? Why, it was bookends-qualitative. My mothers maiden name? Her dad was Mr. E27jrdU!8. My favorite car? I loved my 1986 Toyota Recalibration Cantaloupe. It doesnt matter what answers you give, as long as you and you alone know what they are, and can supply the same ones you entered previously if asked.

I know one security expert who says he normally uses the same pseudo-random answer everywhere, although some companies (including Apple) require you to provide different answers to each of several questionsmeaning you have even more password-like data to keep track of. Of course, you can write down your answers or store them in a password manager, but then the same problems that prevent you from accessing your password could prevent you from accessing your security answers.

You might make up a little story for yourself about fictional parents, cars, pets, and the like that you can memorize and then draw on when asked for security answers on different sites. Ultimately, since youre not going to be giving truthful answers, you should go out of your way to remember which lie(s) you told.

Keep them phone friendly: Remember that you could wind up in a situation where youll have to supply these answers over the phone. If that should happen, both you and the person on the other end will have an easier time coping with a series of plain-English words than a bunch of random characters.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.