It is time to Kill Security Questions—or Answer Them with Lies
Updated Mon, January 30, 2023 1:23 EST
Yahoo attack
In yet another cyberattacks, state-sponsored attackers compromised at least 500 million users' data on Yahoo. The incident got reported recently. It was not only the passwords or email addresses that got breached but the security questions and answers that users keep as a backup for resetting their passwords. These are supposedly secret information, such as an individual's favorite vacation place or the first car bought.
The Yahoo fiasco has underlined how the seemingly innocent questions remain the weak link in online authentication. If one asks the security experts about security questions, they will say that it should never be done away with and till it continues to exist, make sure that one never answers them honestly.
The yahoo breach has highlighted the dangerous guess ability factor and the difficulty of changing security questions.
The security questions mechanism has proved grossly inadequate though it was considered the last and reliable resort for password recovery. So, even if one forgot their complicated password, the general thinking was that one would never forget the name of their Mother, or the place where she was born.
Now, when one looks at the different incidents of cyberattacks, it is even silly to rely on factual data. The data is never a secret. Nowadays, social media searches can often reveal these secrets, things like where one grew up or what was the make of one's first car, etc. Hence, this particular approach puts personal accounts at risk.
Reset Mother’s Maiden Name
Security Experts want the security question practice to go away. The simple logic is that if complex passwords are vulnerable, what makes the security questions so unique that they will live forever and not be attacked?
All new data breaches reveal more personal information, making guessing the answers to security questions easier. It allows hackers to reuse this information to hack other services. By aggregating all these details, hackers get broader information from different data leaks.
Somebody quipped on Twitter that if one had a Yahoo account, one needs to find a new street to grow up or a new mother after the Yahoo data breach became public. Reusing security questions and answers across different sites can mean that data breaches on Yahoo's scale will be like an ecological disaster for a security equivalent.
In 2015, google security researchers analyzed the security questions approach and their weaknesses and concluded that secret questions have answers that are either somewhat or secure or easy to remember, but they are rarely both. It makes the confidential question unreliable and insecure as a standalone recovery mechanism.
Google has set up the SMS message as a backup or backup email for account recovery. Long before the study was out, they removed the security questions.
My Mother was born in Fgstow’s Z2@d
Security questions are not going away soon. It will take time for new systems to emerge or for transitions to emerge. So, the least one can do is strengthen the existing security questions for some critical services. The best way is to lie in your answers. For example, suppose one's address is New York, and this information is in a Facebook profile. In that case, hackers will use probability factors to guess the Mother’s birth location in New York.
The best way is to give a random string of characters with no meaningful information. By asking an unimportant life detail that one is confident that a hacker cannot find out, one is still not revealing the answer that could get compromised in an attack.
This approach makes security answers impossible to remember in comparison to personal facts, which we can easily retain. Therefore, one should start using a password manager. It will help store strong passwords generated randomly and even store your security answers.
Use password Manager
Suppose one has taken the time to add as many accounts as possible to a password manager and randomize all the passwords. In that case, one should know that this is a doable project but long term. It takes a few minutes to add a new one and ensures that the random character strings are saved correctly in the Password manager. The average user has multiple digital accounts linked to their primary email address. So, randomizing every security question when the mechanisms are not always available remains a slog.
Experts suggest changing the security answers on accounts containing the most critical data like financial accounts, email, and medical accounts. Even if one does not have a password manager active, one can still start using one. It is how one can keep track of security answers. One should have unique passwords for each site and service. Moreover, it is significant to have unique answers to security questions and a password manager.
Security experts believe that there are enough alternatives to security questions available that can be phased out, even for the federal government. However, there is no one-size-fits- all solution. Do you want U2F? Go for it. Do you want Google Prompts? Go for it. Do you want something written on a piece of paper that we mail to you? Go for it.
Popular web services are moving from security questions to superior options. Twitter does not appear to use security questions at all for account recovery. Facebook will offer security questions as a last resort when users indicate that they do not have access to the mobile phone or backup email address they set up previously. But Facebook never allows users ever to update or improve their questions.
Conclusion
Security questions required for the recovery of passwords are fundamentally not secure. But if we cannot abolish them, we can make our answers complicated to guess.
Get the latest news, invites to events, and threat alerts
Updated Fri, April 14, 2023 4:28 EST
Updated Fri, April 14, 2023 4:28 EST
Updated Fri, April 14, 2023 4:27 EST
Updated Fri, April 14, 2023 4:27 EST
Updated Mon, February 20, 2023 8:12 EST
Updated Mon, January 30, 2023 1:30 EST
Updated Mon, January 30, 2023 1:27 EST
Updated Mon, January 30, 2023 1:23 EST