What’s your favorite food? What’s your favorite movie? Where did you go to high school? What’s your favorite color? What was the make of your first car? This line of questioning sounds like the sort of small talk one would have on a first date, doesn’t it? Unfortunately the answers to these simple questions are all that is protecting your personal account information stored on many of the websites you use every day.
In late May Google released the results of a lengthy research project that studied the safety and effectiveness of the security questions used by many online service providers to help users recover access to accounts if (or more appropriately when) they forget their passwords. The results were frightening.
The study found that with just one guess a hacker can correctly answer the question “What is your favorite food?” That’s because the answer for nearly 20% of English speaking users is “pizza.” Have you ever used “What’s your father’s middle name?” as a security question on one of your accounts? I hope not. Hackers were able to correctly answer that question 76% of the time!
You might think that using harder questions provide better security for your accounts. Google found that while harder questions were more difficult for hackers to answer, they are often not usable by the account owners themselves because they are so difficult to remember. Nearly half of all users who made use of difficult questions could not provide the correct answer to their own questions.
Perhaps the best solution to this problem is for website developers to allow users to create their own custom security questions with answers that are very specific and difficult to guess. Until that time comes, you may be forced to use the canned security questions offered by your vendors. Here are four tips to help you select questions that are easy to remember but harder to hack:
- Avoid choosing questions that are easy to guess or research.
Do you have a Facebook account? Do you think the information you’ve provided about yourself is private? Better double check.
ZDNet reports that an estimated 13 million Facebook users in the United States either choose not to change or are completely unaware of Facebook’s privacy settings which means the personal information they share on the site is publicly available to hundreds of millions of people worldwide. Take a look at your profile. It provides a wealth of information about you. The “about” section of the profile page includes your work and education, places you’ve lived, your contact and basic information, family and relationship details, life events and personal details like your favorite books, movies, pages you’ve liked, etc. This one site is a treasure chest for anyone seeking to answer questions like “what’s the name of your favorite X,” “In what city did you go to college?” or “What year did you graduate high school?”
When possible, choose questions that have answers that few people know about you.
- Always choose questions that have many possible answers.
Avoid questions like “What month did you get married?” Chances are 100% a hacker will get the right answer within twelve guesses. Instead chose a question like “What is the name of a city where you once got lost?” That question has thousands of possible answers – provided you do not get lazy and set the answer as the name of the city where you were born or where you currently reside.
- Do not provide false answers.
While an easy solution to the problem may be to provide false answers to easy to hack questions, you’ll not be doing yourself any favors. Remember that questions must be hard for hackers, not hard for you. What’s the likelihood that you’ll remember your false answer a year after setting your security question?
- Take advantage of advanced security options on your accounts.
Some websites provide their users with the ability to receive an email with a password reset link or a text message with a special security code to input when they lose access to their accounts. (Since the release of their study’s findings, Google has discontinued use of special questions entirely.) When given the opportunity to enable added or alternative security features on your account, take advantage. Use secret questions only when you are given no other option.