Choose a good security question for your online services

What happens if you forgot your password for your online services like emails? Some online services make you answer some security question during registration. Questions like what’s your Father/Mother’s name, your school name, pet’s name etc etc. So if you forgot your password, they will ask you this question for you to gain access to your account.
But do you know that these security questions aren’t really that secure? The idea of these security questions is to ask you something that you will surely remember. (Don’t tell me you will forget your parent’s name or your school’s name) They use that to authenticate you. But in actual fact, that is one of the worst form of authentication. A lot of those information can be found thru some social engineering. Hackers can find those answer from your facebook profile or blogs. Or they can try to befriend you on MSN and try to find the answer to those question thru chatting with you. And if you are someone famous, that would be even easier. Your information is most likely on Wikipedia for hackers to refer to. Sarah Palin’s Yahoo mail was hacked previously thru this method.
That’s why you should be very careful when you set the security question. Make sure it is something that nobody can research on. Make sure that information is not on your facebook or blog. Make sure none of your friends or colleagues know the answer to those questions. Most importantly, guard those question like how you guard your password. The answer to those questions are as good as your password. An unauthorized person can gain access to your account using those answer.
Speaking of security questions, I was prompted to key in a security question today. I’m actually pretty shocked that they use this kind of security questions. Let me tell you what’s wrong with them.

1) Who was your first boss?
My ex-colleagues will know the answer to this question. And its easy to social engineer the answer too. All you need to know is my first job and who is the boss.
2) What was the name of your first pet?
Some of my friends knows my first pet’s name. I think I’ve casually mentioned it before. Pet name isn’t really a safe security question. Those who love their pet will keep talking about their pets.
3) Who was your favorite teacher?
None. So I can’t use this. (oops. I hope none of my teachers are reading this. But to be fair, I find most of them pretty good. Don’t have one special favorite teacher) And if I have one, it would be easy to find out since I’ll be talking about him/her whenever someone talk to me about my school days. Right?
4) Who is your favorite historical person?
Also none. You mean you have one? Even if I have one, the person might change 3 years down the road. Right?
5) What was the name of your primary school?
This is like the worst question to use. The info is easily available on most people’s facebook. And my classmates will know the answer too.
6) What is the first foreign country you have travelled to?
It isn’t hard to guess based on the country I live in.
7) What was the colour and make of your first car?
This question can be easily social engineered. All the hacker needs to do is befriend you and start a conversation about cars. And if you posted photo of your first car on facebook or flickr, then good luck.
Honestly. You want me to use those security questions? And the worst part is they don’t allow me to set my own security question. That’s kinda crappy. All websites who uses these security questions should allow users to have an option to key in their question. A question that they know they will remember when prompted and nobody else in the world will know the answer.
OK, to be fair, question 3, 4 and 7 should be quite hard for hacker to social engineer. But it might be easy for some.
So, becareful when you select your security questions. Think thru it and ask yourself, is there anyway that someone might find the answer to that question. If the answer is yes, then that is most likely not the best security question.

7 comments

  1. Actually it doesn’t matter what the question is, it just matter that you gave the correct answer to it.
    How I solve this problem is to choose a fix answer to a type of question and remember that instead.
    For example, if the question is about name of a place, the answer will be Wonderland.
    If it is about color, it will be purple.
    If it is about number then the answer is 13.
    I don’t really have to think who really is my favorite teacher or hero or whoever. If it is person, it is Cookie Monster.

  2. CK: That is a good solution. Actually, so long as you can remember the security answer and nobody can guess it or find it thru social engineering.
    But most people just answer the security question directly without thinking that it might be easy for hackers to find the answer. That’s the worrying part.

  3. i did something similar like ck… except i have a few answer to security questions and i randomly choose the questions to answer with a fixed set of answers.
    however nowadays… security questions are getting dumber and dumber… some built checks to verify the field… eg if the question is abt country, they put a list of countries :(… that to me is a question i’ll never use as my security question…

  4. sgcitizen: wow, this is the first time I heard that a security question using a list of answer. Ya, I will never use that too.

  5. Someone essentially assist to make significantly articles I might state.
    That is the very first time I frequented your web page and up to now?
    I amazed with the research you made to make this particular submit incredible.
    Fantastic job!

Leave a Reply

Your email address will not be published. Required fields are marked *