What’s your favourite colour?
Where did you go to school?
When is your wedding anniversary?
These are some of the common security questions which sites and banks ask you to store with them in case you forget your passwords. In some sites, these questions become even more personal like your first pet’s name, where you went to school, and what was your first crush’s name.
While Security Question and Answers is a method lots of site use for you to get access to your account in case you forgot your password, this is a very insecure method in my opinion. Why is it insecure?
Lack of security in storing security questions.
Did you know that even if most sites follow a stringent security policy and encrypt your passwords when they are stored in their systems, a sizable number still leave your security questions and answers in plain text in their databases?
This means that if their database is compromised and stolen, now the crooks have a way of getting access to your account using the security questions, even if your password is securely stored away. You can’t really go reset your birthdate and pet’s name any time soon. They can also use this knowledge to get access to your accounts on other sites you’ve signed up as well.
Scraping information from your social feeds and surveys
Most of the answers to your password recovery questions can also be easily scraped out of your social network profiles and feeds. Your date of birth, your mother’s name, where you went to school, your anniversaries, your pet’s name and more. Your social media profiles, like those on Facebook and Linkedin, can tell people more than you want them to know.
How many times have you taken part in surveys in your social feed? Your favourite food, holiday destinations, which songs and movies you like. Information from such innocent-looking social surveys could lead to your information getting compiled into a profile which can someday be used in attacks against your accounts if you don’t know who is collecting this data.
How do I keep myself safe? Lie!
Earlier, I used to answer these questions quite truthfully, but after a few attempts of account takeovers over the years. I’ve started blatantly lying on the security questions, and so should you. The answers you put in needn’t make sense as long as you know what the answers are. For example, if any site asks me for my favourite colour I would reply with something like breadsun. Gibberish, but no one else knows the answer. (No! that’s not the answer I actually use )
Did you know your first school was Doggies Rescue Cat in Space University? You can get even more cryptic and answer that with [email protected]@ERTG.
Now the other part of this security exercise is to actually remember the gibberish you use, lest you forget your password and your recovery answers and lose access to your account. Most password managers allow you to store secure notes, or additional notes per site, which is what I use to store the answers.
I have also started keeping a separate set of answers for sites which require higher security so that even if the answers are compromised in data breaches, accounts on these sites are not easily taken over.
There’s no quick way around good security – use unique passwords in every site and unique answers to recovery questions on every site as well. You should use a password manager to prevent your brain from being overloaded with password and answers. This way anyone who gets a hold of your password from a breached site can’t use the same details to take over your accounts on others.