Your favorite pet's name can be hazardous to your online security. That's the message security expert Jim Fenton delivered in a talk I recently attended at PasswordsCon.
What makes a question like, "What is your favorite sports team?" a security risk? Isn't answering it supposed to enhance your security? Actually, says Fenton, such questions aren't intended primarily to enhance your security. On the contrary, Websites make you answer them because it gives them a cheap way to be able to reset your account when you forget your password.
And don't mistake a security question for a strong security-enhancing technique like two-factor authentication, which is growing in popularity. In two-factor authentication, besides your password, the second component you supply to prove your identity must be something entirely different, such as a fingerprint or a code that the site sends to your mobile phone.
Why They're Risky
In fact, an answer to a security question can easily be far less secure than a properly chosen password. A piece of information such as the name of your high school, or favorite color, violates several of the rules we are supposed to follow when we choose passwords:
- It's made up of dictionary words.
Personal information can also be relatively easy for an unauthorized person to obtain:
Above are some of the ways Fenton showed that someone could track down such personal information as your high school or the hospital in which you were born. And some information that might be not available online could nevertheless be easily guessed by using online lists of favorite baby names, popular car colors, or the most common street names in each of the 50 states.
Part of the problem with many security questions is that they are designed more to get an answer that's easy to remember than one that's secure. While that approach is understandable, there's still no excuse for such poorly designed questions as "What is your favorite season?" (how many possible answers could there be?), or "Who is the first President you voted for?" (easy to guess from your age). These two examples are drawn from a sometimes amusing collection of actual security questions that Fenton has compiled. He invites you to submit other examples.
How To Minimize Your Risk
- Choose the best question. If you're offered a choice of questions, choose one that's less susceptible to guessing or research, while steering clear of weak ones such as your mother's maiden name or your favorite sports team. If you are permitted to make up your own question, consider doing so. But don't make up one that's just as weak. Have it ask for information that you've never shared.