Passwords, part 3: Being a good liar
We covered how to create good passwords in part 1. Part 2 discussed the importance of having multiple passwords and how to manage them. Hopefully, you’ve taken these suggestions to heart and are already using them out in the real world. However, we’re not quite done. We still need to keep the bad guys from sneaking in the back door.
In 2008 a hacker broke into the Yahoo! email account belonging to Sarah Palin, a U.S. vice presidential candidate. It was remarkably easy to do. The hacker, a fellow named David Kernell, slid in through Yahoo’s password recovery facility, answering a security question with information about Palin’s personal life that was readily available online. Several years down the road, the rise of social networks like Facebook, Google+ and LinkedIn make it even easier to gather the data needed to get past a series of so-called “secret questions” because so many people leave the answers laying around out in the open.
There’s an easy solution to this dilemma: tell lies. If honesty is the best policy, this is the exception that proves the rule. These days, it’s best to assume your personal information is not safe. It may be deliberately or inadvertently exposed by yourself or by others, or it may simply be guessable. So, when a website asks you to answer a set of security questions (or challenge questions or secret questions or whatever they decide to call them), make stuff up. Come up with something memorable to you but not in the public record.
Here are some ideas…
- If you are a history buff, you might pretend to be Abraham Lincoln (adjust the birth date, though). Place of birth? Hodgenville
- I know of one guy who uses fruit names for everything. Name of your first grade teacher? watermelon
- One of the easiest tricks is to deliberately misspell your answers in a particular way — for example, always doubling the third letter. From what high school did you graduate? Wesstview
- Another fairly simple technique is to trade answers with your spouse, partner or significant other.
Bottom line: If you answer security questions honestly, they become insecurity questions. So, be imaginative with your answers. You don’t have to create a complete fantasy world, but you do need to bend reality at least a little bit.
Next up: Part 4 of this series (in progress) will cover a handful of more advanced topics for those of you who wish to dig more deeply into this whole password thing.
Trackbacks & Pingbacks