How secure are security questions?
You ask, we answer.
Here are your questions on security from our Ask Archer show.
The first one involves the questions sites ask you to verify it’s actually you.
“How secure are security questions?” asked Gary.
“For example, the ones that you select from a predetermined list, like “What’s your father’s middle name?”, “What school did you attend?” and “What’s your dog’s first name?” he explained. “Would it be more secure to have something that you could make up your own question and provide the answer?”
See answer here:
For answers, we turned to the cybersecurity professionals at Archer News network’s parent company, Archer International.
“In theory, you are the only person who knows these,” said Patrick C. Miller of Archer International.
“Problem is, those the answers to your security questions, the questions themselves, get stored in a database, often the same database as the passwords. So, when the hackers — the bad guys — get in there and they steal the passwords, they steal more than that. They steal the security questions, your answers to the security questions.”
Then they can use your security question answers on your other accounts, too. Like your bank account.
In addition, a lot of people mention their pets’ names and other security question information on social media. Attackers can review your posts and use your own information against you, getting past security questions on your accounts.
“It’s actually a very common tactic,” Miller said.
Top 5 worst passwords of 2017, according to SplashData. Using common passwords makes it easy for crooks to get into your accounts. Image credit: SplashData
What should you do?
“Probably the best approach is really to treat the security questions answers as passwords,” Miller explained.
“I don’t enter in my dog’s name or my birthday or a maiden name or middle name of a grandparent or something,” he said. “I actually create a password — just like I would any other password — and I put that in the field instead of the answer to the question.”
He then records the question and the “answer” in his password safe.
“Makes it much more difficult for someone to reuse those if they ever get compromised,” Miller said. “Or if you need to make any changes, you have that information handy if you actually need to use it.”
“The short answer is — treat them just like passwords and create passwords for them, but of course record that so you don’t end up not getting back into your account,” he added.