James Thinks

"What is your mother's maiden name?"

"What was your first school?"

A lot of online services ask members to provide answers to questions like these in order to unlock their accounts in the event that they forget their password.

However, compared to a good password, they are very insecure. They are often easy to guess or to discover through social engineering. For example, imagine your bank phones you up and asks to go through some security questions. You duly provide answers similar to the above without checking that the caller is really from your bank. Even if you don't fall for that trick, some of these answers are public knowledge or might be discovered by a determined attacker. There are only so many junior school names in the country, so if the security question system allows multiple guesses, then an automated attack could work.

As a result, security questions can be the weak link in your online security. What can you do?

Lie

In some cases there might be legal reasons why you have to give honest answers to security questions. If in doubt, check with the company providing the service.

In other cases, or where the answers are opinion-based such as "your favourite... ", you can invent something entirely fictitious.

That's right, a lie, a fib, a porky.

In this case it's best if the lie is not guessable either. If your first school was St Paul's, don't change it to St Mary's, St John's or something which probably exists and would be on any list of guesses. Instead invent a completely new name using no dictionary words or names. Longer is better. A bit like a randomised password.

What if I forget my answers?

I assume that security questions were devised as something which, unlike a password, a person would not forget. A school or mother's maiden name is a piece of knowledge they've carried around in their heads for years and will probably always remember. That's why it's appealing as a backup to a password.

But someone giving semi-random, invented answers, probably won't remember them. It should also go without saying that they shouldn't use the same invented answers for every website or service.

That makes the answers hard to remember, like a good password.

The solution in both cases is a password manager. I cannot recommend this highly enough. They give security and convenience for a small learning curve.

In addition to the URL, Username and Password fields, most password managers (aka password safes) have a "Notes" field which is also kept secure. I use this to store the questions and my unique answers to security questions.

Similar posts

• 

  Your passwords aren't good enough

• 

  Why I want to encrypt everything