Posted
08.05.2015

* How to avoid the surprising risks of password security questions

Your favorite pet’s name can be hazardous to your online security.

That’s the message security expert Jim Fenton delivered in a talk today at PasswordsCon.

What makes a question like What is your favorite sports team a security risk? Isn’t answering it supposed to enhance your security? Actually, says Fenton, such questions aren’t intended primarily to enhance your security. On the contrary, Web sites make you answer them because it gives them a cheap way to be able to reset your account when you forget your password.

And don’t mistake a security question for a strong security-enhancing technique like two-factor authentication, which is growing in popularity. In two-factor authentication, besides your password, the second component you supply to prove your identity must be something entirely different, such as a fingerprint or a code that the site sends to your mobile phone.

Why they’re risky

In fact, an answer to a security question can easily be far less secure than a properly chosen password. A piece of information such as the name of your high school, or favorite color, violates several of the rules we are supposed to follow when we choose passwords:

It’s made up of dictionary words

It’s not especially secret (e.g. it’s often shared on social networks like Facebook, or known by friends and family)

It will be identical across all the web sites at which you use it

Such information can also be relatively easy for an unauthorized person to obtain:
lookup 2Here are some of the ways Fenton showed that someone could track down such personal information as your high school or the hospital in which you were born. And some information that might be not available online could nevertheless be easily guessed by using online lists of favorite baby names, popular car colors, or the most common street names in each of the 50 states.

Part of the problem with many security questions is that they are designed more to get an answer that’s easy to remember than secure. While that approach is understandable, there’s still no excuse for such poorly designed questions as What is your favorite season? (how many possible answers could there be?) or Who is the first President you voted for? (easy to guess from your age). These two examples are drawn from a sometimes amusing list of actual security questions that Fenton has compiled. He welcomes you to submit other examples.

How to minimize your risk

Choose the best question. If you’re offered a choice of questions, choose one that’s less susceptible to guessing or research, while steering clear of weak ones such as your mother’s maiden name or your favorite sports team. If you are permitted to make up your own question, consider doing so. But don’t make up one that is just as weak. Have it ask for information that you’ve never shared.

• Make up an answer. You probably didn’t realize this, but you can do what many security professionals do—make up any answer you like to a security question. Web sites don’t validate them the way they do other information you enter into forms, such as your zip code or phone number. So, for example, you could say that your favorite sports team is “breakfast” or that the city in which you were married was “tranquility.” Just make sure that you use something that you will remember (or store it in a safe for an emergency).

• Use a password manager. You can avoid having to answer security questions by using a password manager such as Dashlane, LastPass, KeePass, an approach some security pros use. Sure, the password manager might respond to a security question with a meaningless answer like 3%Tk+$H2sx_QPb.  But who cares, so long as it provides that same answer whenever it’s needed? I haven’t used any of these three password managers myself to answer security questions, so examine their features, or check out other password managers, and do a trial test of any product you find suitable before using it on any important accounts.

Check back soon here at StateoftheNet.Net for more security insights from PasswordsCon and DEFCON. Better yet, Like our Facebook page and be automatically notified every time a new report is published here.

–Jeff Fox

 

 

 

Comments are closed.