How to game security questions to make yourself safer online


Sweet, sweet lies could help make your security question answers safer. (AP/Damian Dovaganes)

If you've been online for any significant period of time, you've probably been asked to answer some basic questions about yourself as a back-up security measure in case you forget a password. But in the age of social media, these "security questions" are essentially worthless. The name of your childhood pet or your mother's maiden name is likely somewhere online, just waiting for a dedicated adversary to dig up.

Apple's statement on the recent hacks that resulted in the theft of personal photos from celebrities that were later unleashed online suggests that security questions were at least part of how the cybercriminals got access to victims' iCloud accounts:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.

And this is far from the first time security questions have been behind high-profile hacks: Back in 2008, a college student was able to easily guess the security questions of then-vice presidential candidate Sarah Palin's personal Yahoo e-mail account -- gaining access and bragging about it on 4chan, the same online message board where nude images of Jennifer Lawrence and other celebrities were posted after the most recent spate of hacks.

Unfortunately, just because the security question is fundamentally flawed doesn't mean it will be going away soon. It's baked into the security structures of so many sites and services that it's unlikely they will all suddenly admit their security practices are so obsolete that they are putting users' privacy at risk.

But there is a way to cheat the system and make yourself a little more secure: Lying. Your first dog's name was Spot? Make up a new one or a whole fake pack. Instead of your mother's maiden name, answer with your maternal grandmother's maiden name. Or better yet, don't actually answer the questions at all -- come up with a long, catty response.

"What's your father's middle name?"

"None of your business, thank you very much!"

Lengthy sentences are better than one-word answers because they are much harder to guess. Of course, this will make it harder to remember the answers to security questions, which could be a problem if you already have trouble remembering your passwords. One solution is to write down your wacky security question answers and keep them in a physically secure location.

One of the scary things about digital life is that online service providers often have the ultimate say on what security practices they use. Sure, they can sometimes be shamed into making changes, but typically users have little choice but to accept whatever security set-up is currently in place if they want to use a service or application.

But by choosing not to play by the company's rules when it comes to security questions, users can make their personal information at least a bit more secure. And, combined with additional security measures such as two-factor authentication, hackers will have a harder time getting your digital goods.

 

Have more to say on this topic? Join us today for our weekly live chat, Switchback. We'll kick things off at 11 a.m. Eastern. You can submit your questions now, right here.

Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.
Comments
Show Comments
Most Read Business
Next Story
Brian Fung · September 4