New research from Google has highlighted the risks many of us take when we quickly answer those ubiquitous security questions on websites after we create our passwords. These security questions and answers are especially important because they tend to be used on the sites that are most important to us from a security perspective — financial sites and online email services.
The problem is that the questions tend to be similar across sites (e.g., “Where were you born?,” “What’s your favorite food?”, “What was your first car?”, etc.), and our answers tend to be either easy to guess or fairly common or both.
Specifically, Google found:
- With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question “What is your favorite food?” (it was ‘pizza’, by the way)
- With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question “What’s your first teacher’s name?”
- With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, “What is your father’s middle name?”
- With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question “What is your city of birth?” and a 43% chance of guessing their favorite food.
So some easy suggestions to make things safer for you?
One is to sign up for two-factor authentication wherever it is offered.
Another is to think of more complex or creative answers to these questions when they are asked of you. Be more specific. Much more specific. Use slang or a nickname only you might know. Put some random characters in the answer to make it unguessable. Google found these kinds of practices meant that people would have trouble remembering the answer to a security question, but that’s what SplashID is for! Try putting the question and answer in another field in your web login record or in your record’s notes field.
And another thing: Some of the security questions I come across – such as those about birth places or names – have answers which are a matter of official record, or easily gleaned from other published sources, so not really all that secret. If you have the option to avoid using such questions, and their answers, it may be best to do so and rely on questions whose answers really are private.
Otherwise, you could consider giving non-factual answers. I like to use answers which aren’t just untrue, but are totally implausible as well. For example, if the question needs an answer which is a place, define the answer as the name of a species of plant or a famous person.
You’ll never remember them of course, but if you have a good password manager, you don’t need to remember them.
Teach folks to answer questions with a short phrase. Eg
Favorite colour: the colour of elephants
Favorite dog: the 1 from 7th Heaven!
Mothers maiden name: she liked Doris
Fathers name: Morton Road Jail
At the very least have a ready-made set of answers which don’t necessarily have to relate to the question. You will know them no one else will:
Favorite colour: fish
Favorite dog: cauliflower
Guessing won’t work needs an dictionary attack.
Just my 2 cents worth
You are so very right
Well, you have really covered nice points. It means all security companies needs to remove these type of questions?? Or apply any alternative way for security.
Recently purchased Splash Key cannot connect very frustrated can someone HELP
Thank you
Sal Gattuso
Sal, sorry to hear about the issue. Can you submit a support ticket at our support portal support.splashdata.com? You can do it directly at http://support.splashdata.com/customer/portal/emails/new