Why Security Questions Can Be Bad News

If you access web-based services such as social networking websites, message forums, or online banking applications, you've probably had to register for a user account. This sometimes drawn-out process required you to enter a login name as well as a password (or get one assigned to you), providing some sense of security when accessing the service.

Since good passwords (not the words 'computer' nor 'secret') can be almost impossible to remember (such as a ten character combination of letters, numbers, and punctuation), many services now use a "security question" you can answer in case you forget your username and/or password and need to retrieve or reset them. By offering a security question, these services can help ensure it is really you when a request is made for your login information.

Some websites may even require answering this security question as well as your password every time you use their services, offering a supposed second level of account security.

Security questions are normally facts that supposedly only you can recall, information that should not change. Several common examples are listed below:

* First School Attended
* Mother's Maiden Name
* Name of First Pet
* Where a Spouse was First Met

Some websites force you into answering a predefined question, a popular one being your mother's maiden name. Others offer a list of questions from which you may choose, but some may allow you to type your own questions and answers. This allows you to enter private information such as the name of your favorite musical group, the name you gave a pet rock, or the celebrity poster you placed on your wall as a kid.

Unfortunately, the answers to some security questions are well-known, easy guessed, can be obtained online, or can be found via public records or a private investigator (and if someone truly wants access to your account they may go through a lot of trouble). Thus, these questions, while provided to either offer a second level of security or remove the need for customer service representatives to otherwise verify identity when you request a new password, can cause all sorts of trouble.

Especially if only a security question is required to obtain or reset a password, or even a combination of a security question and other pieces of personal information, if someone can guess or obtain the answers to your questions, it is open season on your account!

This type of secret question and answer hacking can and has affected many individuals, including famous people. As an example, according to reports, 2008 Republican Vice-Presidential candidate Sarah Palin had her e-mail account breached when someone allegedly answered a few questions during a password reset request. The questions were her birthday, zip code, and where she met her spouse (Wasilla High), information available on the web or easily guessed.

Now that you know how easy it may be for others to access your account via a security question, what can you do to help protect yourself?

* If offered the choice, pick the most obscure security question offered or type your own question and answer if this feature is available. Pick something you and only you may know - something you are positive is not available in public records, your Facebook page, or elsewhere online. Never use your mother's maiden name, social security number, or birthplace, as these can either be found or cause other security and privacy problems if someone does hack the account and read the answers to your security questions.

* Use different security questions for each and every service. No matter how secure you make your account, it can get hacked due to lackluster security procedures of the web service provider or even due to an inside job. Someone could read the answers to your security questions and use these to gain access to your accounts on other websites!

* Consider treating your security question's answer as a second password. You can either encrypt the answer by replacing the letter 'O' with a number 0, the letter 'l' with a number 1, the letter 'a' with the @ symbol, etc., though as dictionary attacks become more advanced this may become less effective. Or "go crazy" and create nonsensical answers just like your passwords as a combination of letters, numbers, and punctuation symbols.

The downside to this method is that your answer may be impossible to remember so you'll have to store it somewhere. And if you do forget your security question answer or cannot find it, you may never be able to reset your password! As a best case scenario you might be able to call customer service or send a copy of your ID to prove your identity. These processes could take a long time, problematic if, for example, you need to use an online banking service to pay your utilities bill today. And remember that some sites may require you to answer your security question every time you login, not just if you forget your password.

While website user account security used to revolve around just a login ID and a password, security questions have become very commonplace, especially as user verification when retrieving a lost password. If you are forced to answer such a question, try to pick the most obscure information possible so it is not easily guessed or found. Use different security questions on each and every website in case your account does get hacked and your answers read. Finally, consider treating your security question as a second password, making it cryptic thus difficult to hack. Security questions have become a modern fact of life on the Internet, so learn how to use them to your advantage.

Copyright 2009 Andrew Malek.