Who knows the answers to your security questions?
Security questions, also known as challenge questions or secret questions, are a way to help you recover access to accounts when you forget your passwords. Security questions are meant to protect your accounts, but they can actually provide hackers with a loophole to break into your accounts.
Recently, Google’s search findings show that “easy security questions aren’t secure and difficult answers aren’t usable.” Many companies pile on more security questions in an effort to make this insecure method more secure, however this practice also is at the expense of usability. Too many questions, make it hard for actual account owners to recover their accounts which then drives calls to the Service Desk. Google concludes that security questions should be the last resorts when no other alternatives are available. A few examples of easy security questions commonly used today:
- What is your favorite food?
- What is your city of birth?
- What is your first teacher’s name?
- What is your father’s middle name?
Answers to the above questions are easy to social engineer. Social engineering is a form of hacking – a hacker tricks the system into thinking they are an authorized user by using information that is readily available.
Take a look at your own social media profiles, how much information is available out there for a hacker to pretend to be you? What about those “Get to Know Me” questionnaires that get passed around between friends on Facebook? People readily share personal details as a way of finding commonalities with their social network, without considering the risks.
Two hacking incidents should serve as sobering wake-up calls for those that still believe in security questions. In 2014, the world experienced the biggest leak of celebrity nude images in the history of the Internet. The iCloud accounts of several Hollywood celebrities were compromised by a targeted attack on their user names, passwords, and security questions. In 2008, Sarah Palin’s Yahoo! Email account was hacked in the run-up to the 2008 election. All the hacker did was use the password reset prompt and answered her security question which was “Where did you meet your spouse?”
If the above incidents scared you a little, there’s a stronger form of authentication you can employ – multi-factor authentication. It requires a combination of something you know (username and password), something you have (hardware), and something you are (biometrics) in order to gain access. Specops uReset™ allows you to use various factors ranging from company identity services (i.e., SalesForce login), personal identity services (i.e., LinkedIn), mobile verification codes and higher trust options (i.e., Smart Cards), to authenticate yourself to reset your passwords. These factors can replace your security questions and remove the need for you to remember your answers as well as the risk of relying on information that could be easily found online.
Learn more about Specops uReset™.
(Last updated on October 30, 2023)