Thursday, February 14, 2008

The problem with security questions - and an easy solution

Most of us have run into security questions before - they're required to reset your password, or to log into your online banking system. Often, they use relatively common information, although that has begun to change. That move to more flexibility is a good thing! It encourages greater security and makes stealing accounts that much harder.

Many sites used to have no option about what questions you could use. Many still don't. Those that do either allow a choice from a static set of questions - allowing you to choose from them, or they allow you to write your own.

What many people don't realize is that security questions can actually make your account easier to steal. In many cases, they were created to lower the costs involved with password resets, although some security questions now act as a second authentication layer.

While a thief who steals your wallet may not be technologically savvy enough to get your personal history to find your mother's maiden name, and your place of birth, some people are. I've seen account security issues due to accounts accessed without permission by family members, significant others, and spouses. In other cases, having access to one compromised account with security question information stored within it has led to further accounts with similar questions being compromised.

Here is an easy method that you can use to avoid this:

  1. Use a password safe application like Keepass or Password Safe. While it isn't necessary to use one to make this habit work, it makes the entire process much easier.
  2. Record the security questions that you use, and then the answers that you provide. Change your answers from the "real" answer to something that you can record in the safe. Having different answers per site is a reasonable idea.
  3. If you have the option to make up your own questions, you can take this further - your questions and answers do not have to have answers that anyone else would know.
  4. Back up your password safe! It is passworded and encrypted, so you may opt to email it to yourself, or to copy it to your thumb drive.
Security staffers - here's your chance to help the cause. Teach your web developers to allow security question options, so that users aren't stuck with the normal questions that can easily be learned. A little education and some relatively easy design choices can significantly help the security of your password recovery and authentication systems.


matt said...

Definitely good advice especially since many web applications which _require_ security questions don't let you chose the questions. Rather, they ask a few things like favorite book/music artist, hometown, etc... all things that could be easily answered by looking at someone's myspace/facebook/blog page.

Unknown said...

Change your answers from the "real" answer to something that you can record in the safe.

This is fabulous advice. Couldn't agree more.

PassPack Founding Partner