When password security questions aren't secure

By Joe Kissell, Macworld |  Security, passwords

Take extra care with your email account password: Be sure to choose an especially secure password for your email account. Make sure to set your email client to communicate securely with the mail serverusing Secure Sockets Layer, or SSL, protocols for exampleso that your password never travels over the air unencrypted. In Apple's Mail, select Mail > Preferences, click Accounts, choose an email account from the list, and click Advanced.  Here you'll see the option Use SSL.

Question the questions

Security questions -- such as the timeless classic 'What is your mothers maiden name?' -- are supposed to have answers that you'll never forget but that most other people won't know or be able to guess. Unfortunately, most of the questions from which you can choose aren't secure at all.

Your mother's maiden name is a matter of public record, and nearly anyone can learn it online in a few minutes. If you ever wrote a blog entry or a Facebook post about your first pet, your favorite teacher, or other common security question topics, those facts are in the public domain too. To make matters worse, some questions invite ambiguous answers, which could work against you. Where did you meet your spouse? That might be in New York or at a baseball game or at Yankee Stadium, for example. Years from now, will you remember which answer you gave?

Devise memorable lies: To address such problems, there's only one right way to answer verification questions -- lie. And don't just lie, but come up with one or more answers that follow the same rules as other passwords to prevent guessability; use either a reasonably long (but memorable) phrase or a series of random characters. So, what was the name of my first pet? Why, it was bookends-qualitative. My mothers maiden name? Her dad was Mr. E27jrdU!8. My favorite car? I loved my 1986 Toyota Recalibration Cantaloupe. It doesn't matter what answers you give, as long as you and you alone know what they are, and can supply the same ones you entered previously if asked.

I know one security expert who says he normally uses the same pseudo-random answer everywhere, although some companies (including Apple) require you to provide different answers to each of several questionsmeaning you have even more password-like data to keep track of. Of course, you can write down your answers or store them in a password manager, but then the same problems that prevent you from accessing your password could prevent you from accessing your security answers.


Originally published on Macworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question