April 7, 2010

The Myth of 'Security Questions'

Security questions are dangerous.  For those who aren't quite sure what I'm referencing, security questions are simply those questions that you are asked to set up when creating an online account.  They often ask things like "What is your mother's maiden name?" or "What city where you born in?" or any number of other such questions.  These are often used to confirm your identity should you need to reset your password, and therein lies the danger.

Unfortunately, answers to simple questions such as "What's your favorite color?" can often be determined from a person's social networking sites, like Facebook, Myspace, etc.  Even if they don't, a simple conversation can easily dupe a victim into revealing those answers, without any suspicion from the target.  After all, when's the last time you became concerned when someone asked you about your favorite color?  Indeed, Sarah Palin's email account was broken into because the attacker was able to reset her password, after using publicly available information to answer the 'security questions'.

The problem is, far too many services online rely on such pseudo-personal information to "prove" your identity, while the truth remains that most of the answers to these questions can usually be easily determined by a third party.  So, what's the defense?  Easy: just the questions incorrectly.  For example, if you simply use a completely unrelated word, such as "quantify" for the answer to every password question, you greatly decrease the chance a third-party has at compromising your account .  A security question may ask, "What is your favorite color?", but it won't matter that an attacker knows or not if you put "quantify" as the actual answer.

This problem exists because many people predictably answer the questions exactly as asked, even when 'security questions' usually weaken your account security.  The solution, as you may have guessed, is simple: Don't be predictable.

Happy Hacking.