Survivalism & Self Sufficiency Topics > Home And Business Security

Security questions/answers need to be just as secure as passwords


Mr. Bill:
Some online services demand strong passwords, but have very weak requirements for the "security answer" that you use to reset a lost password. This is stupid. The security answer is a backup password and should be just as secure as the primary password.

Example from a company that shall remain unnamed:

The security answer must be
* 2 to 14 characters
* letters only, no numbers, spaces, or other characters
* not case-sensitive

And there are only four "security questions" to choose from:
* What was the name of your first pet?
* What was the name of the city your high school was located in?
* What is your father's middle name?
* What was the make of your first car?

Now of course, you can put any random thing you want as the answer, but most people will answer truthfully so that they'll be able to remember without writing it down. As a result, hackers only need lists of common pet names, major cities, common given names, and car manufacturers, and they'll be able to reset the passwords on a large fraction of accounts.

If you run into something like this, DON'T enter the real answer if it's a common word or name. Treat it like a password and enter something unguessable.

(Yes, someone I know got hacked this way.)

I try to make sure I store bogus answers to the security questions in my password manager for the important sites.  It's a pain to have to go look them up, but it's fairly trivial for an attacker to find out a lot of your real answers. 

I always use a non sequitur answer. It is usually the same for all the questions and is noted in my archives as to what it is.


[0] Message Index

Go to full version