I wrote a blog entry five years ago, explaining why using security questions for password resets was a bad idea. (Why “improved” on-line security could compromise your bank account). It’s still true, and we’re still getting it wrong. Last week saw an American fined about £200k and sent to prison for nine months for hacking into college students’ email accounts. Depressingly he was after nude selfies, that most modern collision of prurience and narcissism, but he did it by working out the answers to password reset questions.
As a security measure, asking questions are things like “In what street was your first house?” and “What is your mother’s maiden name?” of people who routinely share their every experience on social media isn’t really very smart, is it?
So today’s top tip?
For every service provider who’s asked you for security questions, play a little game. Google yourself and see how long it takes you to find the answers.
Once you’re properly frightened, sit down and make up some answers. They need to be wrong, but they need to be memorable. You may choose to use a system, like the salting of passwords that I also recommended some time ago, to generate the answers – after all, the answer doesn’t have to make sense: you’re talking to a machine. If you do use a salt plus something derived from the service provider, then you don’t need to worry about choosing different questions for each service.
Then go back to every service provider and change your secret question answers. Sorry – dull, but necessary. Think of it this way: now you, like the queen, can have more than one birthday. Have yourself a sad little cup-cake with a single candle on your official birthday to commemorate the depressingly rubbish state of on-line security.
A bigger picture 