It happens. It is hard to remember everywhere you have passwords not to mention remembering the passwords themselves. This is why many people use a single password for everything. If you missed it, see my previous post for why this is a bad idea.
Most sites have a “I forgot my password” link you can use to reset your password if you forget it. Many sites require you to answer security questions before they will reset your password. By answering these questions correctly you prove your identity. These are questions you provided answers for when you created your account. Common security questions are:
- Who is your favorite actor, musician, or artist?
- What is the name of your favorite pet?
- In what city were you born?
- What high school did you attend?
- What is the name of your first school?
- What is your favorite movie?
- What is your mother’s maiden name?
- What street did you grow up on?
- What was the make of your first car?
- When is your anniversary?
- What is your favorite color?
- What is your father’s middle name?
- What was your high school mascot?
These questions allow you to gain access to your account the same as the password so you need to protect them as you would your password. The idea behind these questions is that you are likely to remember the answer but someone else would have a hard time guessing the answer.
Unfortunately, that is not always the case. According to the FTC 8.3 million people were victims of identity theft in 2005; 16% of those people reported that they knew the person who used their identity without permission. The problem has only gotten worse since then. Family members, friends, roommates are all likely to know the answers to at least some of these questions.
As bad as that is, complete strangers may be able to guess the answers to these questions. People share a lot of personal information on social media. Read the list of questions again and think about what you have shared. Do you follow your favorite actor or musician on Facebook or Twitter? Have you “liked” them? Did you list where you went to school? If you listed your home town a simple search will find the names of all the schools and their mascots in the area. Have you listed your birthday or anniversary? Are you friends with your parents? If so, someone may find maiden or middle names easily. What about posting a picture with your pet and including their name?
You get the idea. Very little is truly private anymore. It is either a public record that can be searched or we share it without thinking about the possible consequences. By guessing the answers to your security questions criminals can hijack your account without knowing your password.
So, what can you do? If the site lets you create your own security question consider doing that. Think of a question that only you would know and is it not something you would post online. For example:
Q: What color shirt was I wearing when I fell in the river?
If you are limited to pre-determined listed of questions you can do any of the following (assume the question was “What was your high school mascot”):
- Add punctuation to the answer – Tiger!
- Add numbers to the answer – Tiger88
- Misspell the answer – Tyger
- Spell the answer backwards – Regit
- Do all the above – Regyt88!
- Make up an answer – Green Mustache
Remember, the computer has no idea what the “right” answer is. Whatever you provide is the “right” answer. There is no rule that says it has be the real answer. As long as the answer you give when you forget your password matches then answer you gave when you created the account you are good.
If you follow this approach you need to remember which method you used so you can reproduce it later; just what you needed, something else to remember. You could use the same answer for every question so you can remember it but this is as bad as using the same password everywhere. You could just make sure you use the same method, that would be more secure than giving the standard answer each time. The best solution is to record the security question and your answer in the notes field of your password manager. This gives you the best security without having to remember anything.
You may think this being paranoid or overkill. First, I would remind you of one of my favorite sayings “Just because you are paranoid doesn’t mean they aren’t out to get you”. Second, you need to think about this from the criminal’s mindset not yours. Most people see a locked door and a sign that says “Authorized Persons Only” and move on, criminals see that and start thinking about how to get around it. You need to protect yourself.