Introduction — getting to know you (for password purposes)

How many times have you forgotten your password and were asked to answer security questions? This is currently one of the most-used methods of password retrieval and reset. Authentication is done by using a number of questions (mostly personal) to which users are asked to provide answers. This technique is based on the assumption that the question can only be answered by the real user.

It is very important that both questions and answers are challenging enough to provide a real roadblock for malicious hackers. If your security questions to password recovery are breached, in fact, you might have something to do with it. These innocuous-seeming queries could be a weak link that could impair the usefulness of even the most secure passwords.

This article provides tips on creating questions and answers to help you keep your accounts secure. The objective is knowing how to create a security question that elicits not-so-obvious responses and answers that are not so easy to guess. An answer to a security prompt that can easily be found through a simple Web or social media search query does not provide any protection for users.

A typical question, for example, asks the user to give their mother’s maiden name. A hacker could easily retrieve that information from any Facebook account, especially those in which people have identified their family members in between friends and/or have an open profile.

Tips for effective security questions

A lot of attention is focused on choosing the right answers, but in reality, choosing the right security questions is the first step in creating a system that better secures passwords.

The first tip, then, is quite obvious. Choose security questions that do not make it too easy for a hacker to guess an answer. Questions like “What is your father’s name,” “which school did you attend” and “what is the model of your current car” are easy to guess as this information is most likely retrievable from any social media profile. Less obvious questions elicit information that is not normally shared openly on the Web, such as “What was the last name of your favorite sixth-grade teacher” or “who was your favorite childhood hero?”

Another great feature of good security questions is the high number of possible answers. Ensuring that each question has a great number of possible responses limits the ability of hackers to simply guess the right combination. Asking what your favorite eye color is, for example, only allows for a limited number of standard replies, while asking your favorite girl’s name taps into a much larger set of possible replies.

Another great way to prevent easy guessing is to create questions that do not elicit responses that are too personal. Again, questions about your dog’s name, your city of birth or your father’s middle name can potentially be easy to guess. Asking, instead, for the name of a college for which you applied but ended up not attending is a much more difficult info to guess.

Lastly, be creative in your questions! There are a number of questions that recur whenever a password reset procedure is needed. A hacker who finds the answers to some of them might be able to access multiple accounts for the same user in a very easy manner. Giving operators the chance to pick new, innovative types of questions is a great way to ensure more security and a better fighting chance against intruders.

Tips for effective security answers

Make answers to the security questions just as strong as your passwords. “Statistically, the longer a password — or answer to a security question — the more difficult it is for someone to guess,” as Jordan Holz, CIPP/US, advises in a post via International Association of Privacy Professionals (IAPP) website. However, there are a few things users can do to make life hard for malicious hackers trying to guess the answers to the security questions.

Here’s a tip: Consider using multiple words in your answer. A one-word response could be easier to guess, predictable and even susceptible to a brute-force attack. Answers containing more than one word add unpredictability and complexity while still keeping the answer easy to remember.

Another strategy is developing a set of false answers in reply to standard security questions. Providing fake answers to the usual questions used to reset passwords keeps hackers gathering information on social media or through phishing away from the correct keywords.

Responses are no longer personal and will be much harder to guess. If you choose a question that might reveal obvious information like your favorite breed of dog or your favorite music genre, widely available through social media searches (e.g., a Facebook profile page), then make sure to give a bogus response. To make things easier, you could think of a friend and use his or her preferences to set up your reset combination.

You could also use a combination of lies and truths in your answers, making them relatively difficult for an unauthorized person to obtain and less susceptible to guessing or research.

Another idea is to make answers to the security questions long or random. However, it is then necessary to develop some sort of pattern to remember them.

You can utilize longer words (as multi-word passphrases) or use abbreviations (acronyms or short forms) you normally use, as well as answers that contains special characters (e.g., F@cebook4Me!). Choosing answers of at least eight characters and containing at least one numeric or non-alphabetic character, as you would for a password, is a safe option.

You could also choose a long, completely random sequence of characters to be very secure. That’s obviously a difficult feature to include, but if you are able to memorize a string, you could possibly insert it in your answers and make them virtually impossible to guess.

On the contrary, you can opt to use short and simple answers as long as they are not used in a predictable way. (Q: What is your least favorite social media site? A: Qzone — a Chinese social networking site and blogging platform.)

Another way to add unpredictability to your answers is to write words in non-standard way. For example, you could develop a pattern in which the second and third letter are inverted and the sixth and seventh are always inverted. You can also use a foreign language in your replies. (Q: What are your favorite animals? A: Les chiens et les chats = dogs and cats.)

Security Awareness

Conclusion

A strong password is a must to safeguard accounts, but even the strongest password is not safe if it can be easily reset through weak security questions and answers. No matter how secure your password is, in fact, it will always be vulnerable if a hacker can easily reset it.

Robust security questions and hard-to-guess answers are paramount to safeguard your login credentials from being compromised. Password reset systems, based on information that are supposedly known only to users, are often subject of debate on their safety and effectiveness. However, there is much a user can do to protect the efficiency of the system.

Placing the same amount of effort in choosing the right answers as in creating passwords is a great way to ensure this authentication method remains safe and effective. It is obviously important to never share answers with anyone and not choose answers that are so complicated that you have to write them down to remember them.

However, there are also many strategies that can be adopted in order to make questions more effective and answers more difficult to guess. For example, good security questions produce answers that are:

  1. Safe: Cannot be guessed or researched
  2. Stable: Do not change over time
  3. Memorable: Can be remembered easily
  4. Simple: Are precise, simple, consistent
  5. Many: Have many possible answers

Since security questions are not going away any time soon, it is best to strengthen your answers now while waiting for better systems to be implemented. The tips above can help you do just that.

 

Sources

  1. Secret questions blow a hole in security, Computer Weekly
  2. Security Questions Don’t Protect You: Here’s Why, IAPP
  3. Security Questions – Hard to Remember, Easy to Guess, Computing Dynamics
  4. Ask better password questions, CSO
  5. Examples of Security Questions, Good Security Questions
  6. Time to Kill Security Questions—or Answer Them With Lies, WIRED
  7. Use Fake Answers to Online Security Questions, Lifehacker
  8. Best Practices for Choosing Good Security Questions, Business 2 Community
  9. How to Answer Security Questions Securely, Defending Digital
  10. How To Create A Security Question That No One Else Can Guess, MakeUseOf.com