Online 'Security Questions' Can Be Too Easy To Crack

The ease with which a student was able to reset Sarah Palin’s Yahoo email password highlights a vulnerability of so-called “challenge questions” designed to verify your identity: if the questions are about personal details from your life, there’s a risk that somewhere out there on the web, that info is visible to the public. That might be a realistic risk only for public figures, but it’s also possible that friends or family members could answer your questions with a little guesswork. If you want better security, make up fake answers that you’ll remember.

“Who needs hackers? Palin e-mail hack reveals obvious vulnerability” [BetaNews]

Comments

Edit Your Comment

  1. ViperBorg says:

    The screenshot of her email did have a tap opened that said something about a password being reset.

  2. lemortede says:

    My cousin has this on going issue with his soon to be X wife.

  3. Gopher bond says:

    Another good tip I read was to create a stand pin that you take onto the beginning or end of every security question answer. For example, if my secure pin is 123456 and the security question is “What is the best website ever?” My answer would be “The Consumerist123456″

    • MercuryPDX says:

      @testsicles: The problem is that subjective questions (like your example) have subjective answers. A friend of mine just puts in “Secure_answer” as the answer to any and all the questions. Coupling that with your pin suggestion (“Secure_answer123456″) sounds like a big improvement upon that.

      • nybiker says:

        @MercuryPDX: Yeah, and the name of my pet has always been “dogdog”, so I too like the idea of tacking on some extra stuff (let’s hope that everyone who reads this and decides to follow the example doesn’t use 123456).

        • TechnoDestructo says:

          So are we also going to see a post of maintaining anonymity when posting illegally obtained information re: a major political candidate? Because that kid made some stupid goofs, too.

          @nybiker:

          Still better than using nothing. Every bit of complexity helps.

  4. slopirate says:

    The best thing to do is make the answer to the security question something like this: asudngafdnv09aefjr98gharef2ndsa9f.

    These security questions are ridiculously large security holes and should not be used.

  5. Arkillion says:

    I’m not sure how remembering a fake answer helps someone who can’t remember their password in the first place (which is why they would use the security questions). If you have such a great memory, just remember your password, and fill in completely random garbage that even you can’t remember to the security question rendering it totally useless to anyone.

    • allthatsevil says:

      @Arkillion: The fake answer is not to help them when they forget their password – it’s to prevent other people from figuring it out when they don’t know the password.

      If you forget your password, and the answer to the security question, there is typically a third option for obtaining the forgotten password. Usually it’s either resetting the password via an email link, or talking to a person on the phone to verify your identity.

  6. ManiacDan says:

    Lore at Alt Text did a humor article about this topic not too long ago, which actually illustrates quite well the problem many people have, and the “solution” mentioned earlier in the comments:
    [www.wired.com]

    One problem I really have with security questions is: what happens when you have a joint account? When I forget my Bank Of America password, I need to remember if it was my wife or I who created the account so I know the answer to “who was your first boyfriend/girlfriend?”

    Personally, I get burned all the time by the “what town were you born in” question because I was born in a hospital where the maternity wing extends past county lines, meaning I was physically born in one town, but the birth certificate was issued in another. I just have to remember if I was feeling like a smart ass that day.

    • 6a says:

      I’ve been using KeePass for some time now. It can make ridiculously difficult passwords if necessary and can be toted around on one of those keychain usb drives.

  7. Ragman says:

    “123456? That’s the kind of combination an idiot would put on his luggage!”

    Sorry. Felt obliged to do the Spaceballs reference.

    I’m making the initiative to change my security questions, but I worry that some site may filter numerics out of a name field.

    I worry that the TSA will decide to quiz me on who I am – that just makes for some interesting answers. Not to mention trying to figure out if they’ve got your old or new answers.
    “Where were you born?” “Uhh… New York or Anartica1234…” “Sir, please step into this room and strip.”

  8. Mfalconieri says:

    Passwords are just like phone numbers, you NEED to remember them without help. If you cannot do that, then the internet is not for you.

    Also, doesn’t the world know not to put your birthday, social security or pets name as a password?

    • TechnoDestructo says:

      I have a book containing all my usernames + passwords. This is not the best idea in the world, so I make it a little less bad by blanking out portions of the username and password. It is the same portion each time, so that where pieces of passwords are reused (if I didn’t, I wouldn’t remember the missing pieces) you cannot use one password to fill in the blanks on another.

      @Mfalconieri:

      A few, regularly-used ones, sure. But when every site on the internet requires a username and password, and you aren’t reusing the same password all the time, and each one has a different combination of required password features, it gets a little difficult after a while.

  9. JN2 says:

    Best program evah! [my.1password.com]

    Yea, when my (now ex) wife was doing her naughty business, I hacked into her private hotmail account (and MySpace, and other unapproved places) by using the same password she had kept for 5-6 years. I finally called her and told her to change them before I did some REAL damage to them.

    buh-bye woman!!

    • Oranges w/ Cheese says:

      @JN2: I use PaswordMaker firefox addon.

    • veronykah says:

      @JN2: Sounds awesome but what do you do when you are using a computer that is not your home computer that you use the program with?
      Can you give invitations?
      @smartmuffin: If there was a standard of some sort across the board for passwords I think it would make it a lot easier. Some websites want 6 letters, some 8 with a captial or 8 with a number. If you login to a large amount of websites there is NO way to remember all these. I have my computer set to remember them but if I am using a computer somewhere else, how am I supposed to remember the random password I made up for X website?
      Blackberry password keeper here I come, thanks MisterE87! NEver used it!

  10. mknoll1 says:

    This whole security question nonsense does not even qualify as multifactor authentication according to any reasonable definition. Multifactor authentication requires a combination of 2 or more different factors. There are 3 possible factors, something you know (username, password, name of first born), something you have (Certificate, Token, Dongle) and something you are (Fingerprint, Retina Scan). The use of security questions is clearly simply 2 somethings you know as opposed to 2 different factors. THe net result is one piece of paper that says OnlineBanking info Username = User password = Password Favorite Restaurant = applebees Mascot = wildcat … or whatever. If Ferris Bueller wants to hack my account now he just has to remember 5 things instead of 2 which for him is no problem.

    I work with a TON of banks in a corporate setting and these answers are even more problematic there since users come and go but the banks that user security questions often only allow one user per account. Thus a whole department may share one login. If people with access to online banking use their actual info then leave the company and their answers are still used they have severely compromised very important personal information. The only other option is a set of canned answers for all banks or a spreadsheet that amounts to the info scribbled on a paper in a drawer. Both of those solutions are obviously problematic from a security perspective.

    As someone who basically deals with online access to banks as my entire job I am appalled at how poorly this has been regulated and implemented. The banking industry spent literally hundreds of millions of dollars on updating their security in the last 24 months and none of it has done anything to make us safer int he least. Like Airport Security Theater it only serves to discourage legitimate users by making it so much of a hassle that they just don’t bother.

  11. Ber'Zophus says:

    A lot of the problems with these systems is the fact most only give you a set number of questions to pick to answer, rather than allow you to make your own. In a lot of cases, friends could easily answer all sorts of things about you; especially those that are “Where did you attend elementary school?”, or “Who was your best friend from childhood?” (who, you know, may no longer be and now has a personal vendetta out against you).

    I find such “security” questions ironic, especially where forced to enter them. I keep my passwords complicated to be secure, yet it can be handily defeated by the security question. Oh sure, I could enter fake info as my answer….then I’d forget it. And while I’d like to just say, bah, I’ll enter gibberish in the hopes I never forget my password… I have a lot of passwords out there and tend to forget which one goes where sometimes.

    • Etoiles says:

      I did enjoy one account where you could create your own security question and answer. That one was obscure and I can think of only one other person on earth who would be able to piece together what I meant by it.

      Whereas pretty much everyone I’ve ever met knows where I was born, because it’s a major city.

  12. Meggers says:

    I remember when Consumerist addressed this with a cell phone company (Nokia I think?). They used a consenting persons cell phone number in D.C. or New York (can’t remember which) and used simple logic to get past the security questions. I think one of the questions was “Where have you never lived” and there were 3 places listed. By knowing that the person was in their 20’s and in the city, they could knock out that one and then quess the right answer. Obviously I should have just linked to the post since my memory is shot at 4:30 on a Friday. Anyway that was a good post and brought up some serious questions about how easy it is to get past the “security questions”.

  13. tankertodd says:

    I just use the word “poodleballs85″ as my password for everything, including my ETrade, Bank of America, and Consumerist accounts.

    Whoops

    • Bryan Price says:

      I had one son getting into the other son’s account because he new his social security number (they’re twins! they’re not incremented, but they’re close!) and they certainly knew their mother’s maiden name.

      @tankertodd: For my most serious (network administration) passwords I used to use two words, one of which was obscene. There’s nothing like having to tell your female boss that’s on a speakerphone with HER boss, and tell her the password is c–tlick. She couldn’t really say anything because you weren’t supposed to be disclosing passwords to anybody for any reason anyways. From then on, I got told to change the password to what they wanted.

  14. NikkiSweet says:

    Yay for promiscuous passwords…

    I work for a tech company, and we have more than a few of these floating around. The only good thing about ours is that you really have to spend time around us while we are at work to guess the passwords, because they’re all inside jokes.

  15. pavid says:

    I always use something that means something to me only as the answer to any and every security question. Just because you’re asked for your mother’s maiden name doesn’t mean you can’t use “gobbledegook”. Just as long as it’s something you can remember because it means something to you.

  16. womynist says:

    My employer uses the word “password” as the password to log in to our system.

    so stupid.

  17. mmmsoap says:

    I frequently create passwords VERY secure passwords, but changing the keyboard layout on my computer. For example, my online banking password might be something as simple as “mybanksname“, but if I change the keybord layout to, say, Dvorak before typing it, it comes out as “mfxabtobam.

    Combine this with a keyboard shortcut to quickly swap back and forth between keyboard layouts, and I’m in business.
    The passwords are easy to remember on my end, and very hard to guess for anyone else.

  18. celestebai says:

    Haha! Funny the amount of ex’s who do this. Mine did the same thing, hotmail gave him the account password, and stupid me used the same password for everything. Didn’t catch it until he served me two months later. Aren’t relationships fun? So yeah, my security questions are all nonsense answers now. Haven’t had to use them yet, so here’s hoping i remember the answers if i do need them.

  19. celestebai says:

    And might I add that I also switched to a hosted email account instead of web-based email, encrypted my computer, and marked everything to save absolutely nothing.

  20. nez77 says:

    I’ve been doing that for years. For instance “What is the name of your first pet?” my security answer isn’t the real first pet, but what I named a pokemon that nobody could possibly know.

  21. Rachacha says:

    My problem is password systems that are too secure, for example, you mist use a number, a special character, a lower case and an upper case letter. Fine, no problem. Now throw in the mix that passwords must be changed every 30 days, and you can not have the password repeat from the last 50 passwords. That pretty much guarantees that someone will write their passwords down so that they can remember what passwords they have used in the past, and to make sure they might actually remember it.

  22. MisterE87 says:

    I heart BlackBerry Password Keeper and security auto-lock!

  23. Ajh says:

    My security questions have answers that are lies. I figure that way no one can answer them correctly. They’re the same lies for every security series but, still.

    The hilarious part is I know all my mother’s security questions and reset her passwords for her when she forgets. Yes she’ll come to me “I forgot my password for the bank and it locked me out again..what do I do?”

  24. smartmuffin says:

    You know, I always thought this was screwed up ever since I was 12 years old and making hotmail accounts. The only people who would ever even want to get into my account were my friends and my parents, who all easily knew the answer to questions like “what was your elementary school” and “what is your pet’s name”

    I remember being on a customer service phone line trying to get a password reset and explaining this situation to the CSR. I had made up fake answers to all the questions and using some correct answers, got her to tell me what I had put for the others. Apparently I listed my home town as “funkytown” among other things. It was a great conversation.

  25. billbobbins says:

    A friend of mine picked his security question to be “what day is softball practice on?” Guess how many tries it took to get a password reset. Dumb.

  26. Snowlovers says:

    Studies have shown that the most secure password is “1gQ7~9n_l3″ it is recommended that you change all of your passwords to this immediately!

    • BillsBurg says:

      @Snowlovers: I work for a major DOD contractor company and I can’t tell you how many people on DOD networks use !QAZXSW@ or 1qazXSW@ or !QAZ@WSX or other combination of up and down one part of the keyboard while holding the shift key down or not.

  27. BillsBurg says:

    I’m so happy that this thread didn’t breakdown into a Palin bashing forum.

  28. AgentTuttle says:

    It’s funny that nobody seems to care that the NSA has access to our email 24/7, yet this is some kind of atrocity.

  29. Jamesgreene says:

    I answer those questions with other codes/passwords and variations that I have had for the last oh 10 years or so (not anything that makes enough sense to figure out).

    The easiest way to come up with a good one you can still remember is get an acronym, slap a special character in there and add a number.

    Example: Girls eat pies and cake ^ and 982

    gEpAc952^ would be your password. That way if you forget you can always remember your sentence. If you can’t remember that you will need to work on your memory.

    I’ve gotten into so many locked things just guessing things like “popcorn”, “love”, “marsbar”, “digdug” or even cd keys that are sitting in peoples cd racks (this is often when I am asked by the owner or someone else forgets their passwords for programs, I have no intention of malicious behavior). You need to protect your stuff even from your own lack of foresight.

    My system is by no means flawless but it is better than what most people do.

  30. draketrumpet says:

    Yeah, so this one bit me in the butt a while back. There was a time in my life where I wore a tie every day, and I had more red ties than anything else. A certain email provider let you create your own security question, so being ‘smart’ like I was, I put the following: “What color of tie am I wearing?” “Red”. about a year later, a still undiscovered person changed my password and sent an email to a bunch of acquaintances (they were not my contacts, but I knew them all) telling them in not so nice words that I had chosen an alternate sexual orientation from standard heterosexuality. Ugh…bad memories…

  31. mike says:

    Shameless plug ahead!

    Invest in RoboForm! I use it to save not only my passwords, but answers to the random questions they ask me. I usually make these passwords up, which makes remembering them all the harder. The only bad thing is that they don’t have a linux version.

    If you like my recommendation, feel free to give me a bit of the action:
    [www.roboform.com]

    For others, just go to roboform.com

  32. Rectilinear Propagation says:

    G-d, I HATE those security questions. They are so useless.

    The one I hate the most is the “What is your mother’s maiden name?” question. If you know the name of the person whose account you’re breaking into how hard is it to find out who their mom is? There’s also the ridiculous assumption that your mom’s maiden name isn’t what she’s going by now.

    It’s always something that’s really easy to look up, like what street you grew up on, or something with no answer at all, like the name of your first pet or favorite sports team.

    The only security questions I like are the ones they let you make up. “Purple?”