Last week I posted here an article with tips and best practices around complimentary logic that can be implemented to your current password structure that would add an extra layer of security.
But what if I tell you that even if you implemented all of these layers, you can still be exposed to a very basic breach point.
That’s right, depending on the forgot password protocol each system has, it may inadvertently poke a hole into your whole account security plans.
Security questions are added at the time of account creation in order to prevent someone from simply resetting your password (in case they’ve taken your email account for example).
This security step will have you answer several security questions. You are asked a few things that you know, and that you can remember—such as your first pet’s name, or your mother’s maiden name—so you can access your account and prove your identity, before you can request a password reset in case you forget or lose your password.
The issue with this practice is not so much the questions, but the answer you’re giving them.
Most ‘hacks’ today come from this very simple breach. By simply knowing me, or looking at my Facebook posts and friends, a hacker might find pictures of me at the Patriots stadium, my dog’s pictures, my high school name (easy mascot lookup)..
In other words, you might not be advertising your password to everyone online, but on that same note by simply exposing your life in social media, you might be revealing key indicators to the answers to your security questions.
This was in fact the way that Jennifer Lawrence’s, ahem, ‘intimate pictures’, were leaked to the world. By answering accurately, true, verifiable facts in her security questionnaire.
In Apple’s statement about the hack of celebrity accounts, where dozens of celebrity were hacked, they stated:
“…After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet….”
Sarah Palin’s AT&T hack was also perpetrated by simply answering her zip code, birthdate and where she met her spouse. Information that is readily available online by a simple google search.
Once the hacker answers those questions it’s a couple of clicks until they reset your password and take over your account. Brutal!
Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are”
– Jeh Johnson
How to Secure your Answers
Let’s look at simple ways that you add a security layer to your security questions and ensuring that you will not be exposed.
Steps to Secure Answers
- Misspell words: The first thing you can do is change the spelling of some of your answers. This is a good idea, as long as you can remember the changes you’ve made. So if your first car was a BMW, you could spell the answer BMWWW or BBBMW; if your first pet was Rex, you can use Rexxx. These duplicated letters won’t be too hard to forget, and will protect you from idle hackers.
- Add Number(s) to your answers: Similar to the misspell technique but if you don’t want to keep tabs of exact misspelled-spellings, you can say BMW7, or Rex9 or 1Smith. One character that gets added to your answer will throw off any intruder. One thing to note is try to be consistent on the number so that way you can just add that favorite number to the actual answers.
- Make up an answer!
That’s right, no one is enforcing the accuracy and veracity of your answers, so you have a blank canvas on what your password can be.
For example: What was your first car? Magic School Bus or Magic School Bus9. What’s your favorite color? Euphoria or Pale7. Secure answers to security Questions is one of the best ways to ensuring your privacy and peace of mind.
I hope you have a chance to make these changes to existing accounts or at least start implementing these best practices as you continue to create new accounts.
See you on the next one!