Thoughts, information and reflections about technology

The whole system of “secret questions” used by tens of thousands of sites, including email providers, banks and government sites is fundamentally flawed.

The whole system of “secret questions” used by tens of thousands of sites, including email providers, banks and government sites is fundamentally flawed. If you have even a casual acquaintance with someone, you can pick up enough information to access at least some of their sites. The “Where were you born” question is a joke.  The problem is that if you give a fake answer you might not remember it when you need it and find yourself locked out of your account.

 Keep in mind that during a previous presidential campaign Sarah Palin’s personal email account was hacked by using the security questions. The person responsible served federal time for the hacking. However, the damage had been done and her personal emails were available to the public.
Social engineering can be used to crack these security questions. Read my post about why you should never reply to a Facebook post about “Do you remember your first car?”
Your choices are :
  • Have a file somewhere of the answers you used but DO NOT INCLUDE THE PASSWORD OR USER ID. Have the user id’s in a separate file
  • Answer every question with the same answer such as ‘cupcakes’
  • Use alternate answers for questions such as “what city were you born in?”  Instead of using the real answer, answer that question with something like “Tabasco sauce”.

My favorite stupid secret questions:

  • What city were you born in?
  • What is your mother’s maiden name?  Come on folks, this isn’t the 1960’s. First of all, that type of information can easily be searched.
  • Where were you married?  Duh.. again, this isn’t 1960. Marriage certificates can be searched.
  • What was your high school mascot?  Ok, this can be easy to crack: (1) High schools publish alumni lists. (2) The mascots don’t usually change.

Web developers who use security questions are flaming idiots.  Their web tools should be taken away and they should be handed a box of crayons. (the 8 color pack, not the 64 color pack as they obviously could not handle that)

Get to know your date

Get to know your date

 

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact me
Archives
Categories