Strong password security questions are lacking when a website attempts to verify you are who you say you are while attempting to recover your password. An account password recovery Q&A process is a very common way for a cyber attacker to break into your online accounts.
Have you ever encountered a popular website that you can log into with your own account, and it asks you to pick out one question (or up to 3) and write an answer. These question-answer challenges are usually for password resets in-case you forget your password. If the question is answered correctly, a password reset will usually be sent to your email- and if your email was already broken into, a cyber criminal may have access to any account of yours they want. However, in some cases, password resets are not sent to email addresses, but are immediately allowed to reset a password on-screen, which makes it even better for a cyber criminal.
For example, a question might be “What is your mother’s maiden name?” or “What was your High School mascot?” or “Your first car and model”. Some, if not most of these answers can be found through social media or through a simple internet search- which can lead to a reset password and your account broken into. This is one way some Hollywood movie star accounts have gotten hacked- as their life information is very public.Identity Footprint Risk Assessment
For many websites that you can have an account on, they offer a method to request to change your password if the event that you’ve forgotten it (or when you don’t have access to your password manager software).
When you are trying to recover your password for an account, a website will usually ask you some personal questions that you previously answered sometime when you first created your account. These questions are really meant to be an extra step to stop cyber-attackers from hijacking your online account, especially in the case of if someone compromised your email account- it’s that extra security step in verification that goes beyond just clicking a password reset link in an email.
By default, these websites do not ask strong password security questions, instead opting for simple questions for you to answer related to “mothers maiden name”, “your first car model”, “your first school you attended”, “your first girlfriend or boyfriend”, etc.
So, to secure the account recovery process of any online account you have, we actually recommend that you use highly inaccurate information for these question-answer challenges. Or treat it as a password and come up with a secure password. This will help prevent account access through question-answer challenges. Just remember what your inaccurate answers or passwords are, otherwise you’ll have no easy access to your accounts – because usually when you access this password recovery on a website, it’s for when you don’t have access to your password manager or you truly cannot remember your password.
Here is an example of a way you can fill in the question-answer challenges:
“What is your mother’s maiden name?”
Actual answer: “Julia”
GOOD: “Sarah Goldman” (as long as you can remember this fictitious answer)
Keep in mind, some websites don’t even ask you to answer questions for this extra security step and just keep it as an optional security feature. We believe this extra step of answering personal questions can be very effective at stopping account hijacks, if you enable it first, then use effective answers that aren’t obvious or can be researched. Think of these Q&A as extra passwords a cyber attacker must guess, crack, or otherwise figure out to get to your account. Save these answers in your password manager software.
Remember, nothing is stopping you from using a password in these question-answer challenges, though we do NOT recommend you use the actual password for your account as the answer to the question-answer challenge. You can also think of it as a privacy concern- does a website really need to know your first girlfriend or boyfriend’s full name?
Comments and questions below are viewable and open to members only.