Ronny Lam

about://tech

Security Questions

questions

Today, my wife was signing up for a website. I can’t remember which one, although it was not Apple. Of course she had to sign up with her email-address and had to come up with a password. I educated her well, so she used a randomized password created with 1password. I always encourage people, including my wife to use different passwords for every site. In that way when someone manages to hack one account he or she can still not get into the other accounts. At one moment in the process she was asked to fill in some security questions. This is something I did not yet educate her on so she asked me what to do. Security questions are special questions used by organisations in order to check who you are when you lost your password. Some sites use very easy questions, like “what is your maiden name?” or “where were you born?” Then there is sites with more difficult questions like the license-plate on your first car and there is sites that let you set your own questions. My wife had the simple ones and was planning to answer them honestly. Thank god she consulted me, because this is exactly what happened to Sarah Palin in 2008. A young guy just checked her bio and used Yahoo!’s account recovery for forgotten passwords. I helped my wife by forging some answers and putting them in the notes field of 1password.

I cannot stress people enough that answering these security question honestly is the biggest security risk ever. I do not understand why websites are still using them. Don’t they understand what the risks of those questions are? A couple of weeks ago I tested myself how easy it was to recover a Google account that was using 2step-authentication. Well, I must say, Google is very thorough and made it very difficult for me to get the account back. The not only asked security questions, which I of course forged. But they also asked a lot of details about the account itself and about the usage of the account. From where do you log in most? What kind of browser do you use to log in? Which labels do you use most? With which people do you mail most?
Of course I managed, and because I managed I could help a guy on the productforums I am in.