Lately, we’ve been sharing news of a few, actually more than a few, big password breaches. Whether it’s been LinkedIn, or Tumblr, or just last week, MySpace, there’s been no shortage of account hacks – and those hacks have exposed millions of usernames and passwords. These are all scary reminders of the need to have different, complex passwords for each online service that you use. But even if you do that (and have 350+ passwords, like I do), there's a security "feature" that may seem to add a layer of safety, but which may actually lull you into a false sense of security.
Today, it’s common when you sign up for a new on-line shopping, financial or social media account, to be asked several questions that are “personal”. These questions are generally about things like your elementary school, your mother's maiden name, a favorite color or food, or the make/model of your first car. Sites use these questions to verify your identity when you forget your password, or sometimes when you login or you’re doing something like placing an order or moving money.
But instead of protecting your account, these questions may be doing the opposite. First, whenever a question is easy to remember, it may also be easy for someone else to guess the answer. There are only so many colors, and not very much imagination in food preference. “Blue” and “pizza” are such popular answers to the favorite color and food questions that they’re worthless for account security.
Second, it’s easy to use social media and other online searches to find answers for many of the common “personal” questions. The depth and breadth of data that’s available online is incredible. Pet’s names, schools, family names, favorite teams – if you’ve been on-line and at all socially engaged -- it’s out there to be found. Easily.
So, what to do? If a site allows it, you should create your own questions -- and the answers to those questions should be “nonsense”. “What is your favorite tree?” is a good custom question and “hockeystick” wouldn’t be a bad answer. Really hard to guess, pretty much impossible to find (unless your Facebook page is dominated by hockey posts).
If you can’t remember all your passwords and answers, write them down. On paper is ok; but the paper should be secure -- and putting a copy in your lockbox or another private location would be a good idea. An Excel spreadsheet isn’t bad, but now you need to be concerned with the security of the computer storing that Excel sheet. A secure password manager is best, something like KeePass.
Finally, on sites where you can, use "two-factor authentication" instead of, or in addition to, security questions. Two-factor authentication requires your password plus another piece of information – like verifying that a picture displayed at login is one you’d previously selected, or using an authentication code sent to your e-mail or mobile device. And if you want more information on securing your on-line accounts, we’re here to help.
