P@s$w0rdz: Security Questions & Answers

Quotes | The Problem | How to Improve

Quotes

• "I don't have a bank account because...
  I don't know my mother's maiden name." ~Paula Poundstone
• "The 10 Most Common Password Security Questions...
  What Is your favorite book?
  What is the name of the road you grew up on?
  What is your mother’s maiden name?
  What was the name of your first/current/favorite pet?
  What was the first company that you worked for?
  Where did you meet your spouse?
  Where did you go to high school/college?
  What is your favorite food?
  What city were you born in?
  Where is your favorite place to vacation? ~source
• Password security questions for the depressed:...
  What is the name of your least favorite child?
  In what year did you abandon your dreams?
  What is the maiden name of your father's mistress?
  At what age did your childhood pet run away?
  What was the name of your favorite unpaid internship?
  In what city did you first experience ennui?
  What is your ex-wife's newest last name?
  What sports team do you fetishize to avoid meaningful discussion with others?
  What is the name of your favorite canceled TV show?
  What was the middle name of your first rebound?
  On what street did you lose your childlike sense of wonder?
  When did you stop trying?
• "Your password should be secret, but...'secrets' make really bad passwords
  -- especially when they are just discoverable or guessable facts."
  ~Alec Muffett (the same thing applies to 'secret answers')

The Problem

• Some sites use the answers to security questions as an extra authentication factor.
• These 'secret' answers are often weak, short, guessable, reused on multiple sites, etc. -- illusory security.
• Can you remember what your favorite food or movie was years ago when you created an account?
• Have your interests, preferences or memory recall changed in recent years?
• Hackers may be able to find those answers:
• on social media sites, e.g., best friend in grade school, pizza preference, favorite color, ...
• in public records, e.g., mother's maiden name, street where you lived, ...
• in ongoing data breaches from other sites, e.g., answers and info that are no longer 'secret'

How to Improve

• To avoid a hacker impersonating you and hijacking your account,
  reduce personal information available online
  and strengthen existing (and new) secret answers.
• Reduce posting -- by you and your 'friends'
  -- of your (and their) personal details on social media;
  added bonus: marketers will know less about you.
• Don't participate in quizzes/polls that trick you into revealing personal info!
  e.g., Why You Shouldn't Play That 'Fun Quarantine Game' on Facebook
  Why Social Media Name Games Are a Security Risk

• 
  

  Don't supply 'hints' for your secret answer -- or for your password.

• Update any answers for each site to be unique / unpredictable :
• If menu only: choose an untrue, opposite, or weird answer
• Otherwise: enter a misspelled, foreign, false or random phrase.
• If site allows you to create your own security questions,
  why not a hacker-proof one? e.g., "What's the answer to Question 1?" -- with a random answer!
• Desirable characteristics: (from Choosing and Using Security Questions Cheat Sheet)
  Memorable: The user must be able to recall the answer to the question,
  potentially years after creating their account.
  Consistent: The answer to the question must not change over time.
  Applicable: The user must be able to answer the question.
  Confidential: The answer to the question must be hard for an attacker to obtain.
  Specific: The answer should be clear to the user.
• Avoid cluttering your brain.
• Record secret answers -- along with the question -- in PM [e.g., Notes field; on right]
• To be even more organized,
  create a "Security Questions" section (this may be automatic in future versions of 1PW),
  and add an individual field to separate each question & answer [on right].
• When requested, just lookup, copy, and paste an answer.
• Don't rely on secret answers alone for sensitive accounts
  -- use Multi-Factor Authentication when available
• Refs: Security Questions