Our online identities are always under attack. If you think that sounds dramatic, consider this: Cybercrime makes about $1.5 trillion in profits a year, and that’s a conservative estimate.
Strong passwords go a long way in securing our accounts, but the sad truth is most people don’t bother to set up complex, unique passwords for every account.
Using Two-Factor Authentication
Taking an extra step, like setting up two-factor authentication, can further bolster your logins. The easiest way to implement two-factor is with SMS, receiving a text with an access code every time you try to log into a secured account. While certainly better than nothing, getting your 2FA from SMS has plenty of potential downside. Specifically, it leaves you exposed if someone hijacks your smartphone’s SIM, a longtime problem that has only gotten worse of late. By stealing your phone number, hackers can redirect any two-factor notifications to their own devices, allowing them much easier entry to your accounts.
Lorrie Cranor, a computer scientist at Carnegie Mellon University and former FTC technologist who had her own SIM stolen in 2016 states that authenticator apps are not vulnerable to this problem, and thus are a more secure way to do two-factor verification. Rather than send you an SMS, third party authenticator apps show you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you’re trying to log into. The benefits of tying those codes to a physical device, rather than your phone number, extend beyond security; apps like Google Authenticator, Authy, and Duo generally continue to work even without an internet or cell connection.
What’s the deal with security questions, anyway?
In recent years, the cybersecurity world has reconsidered the use of security questions altogether. They ask you to remember personal tidbits like your favorite sports team or the street where you purchased your first home. On the one hand, these can be easy to answer, but they’re not as secure as you may think.
There are classic questions that pop up like, “What is your mother’s maiden name?” One of the biggest problems with these sorts of questions is the answers are relatively easy to find. Your mother’s maiden name is likely a matter of public record, and by merely knowing the name of your high school, a thief can figure out the mascot. Finding your favorite sports team isn’t tough, with a glance at your social media profiles.
Hackers that accessed user accounts, like with the infamous Yahoo data breach, have also been able to access user security questions and answers — so even answers that are harder to find online may be floating around the Dark Web.
So how can we better secure our security questions? One approach is to lie about your answers, but even that has its downsides.
Google’s take on security questions
A 2015 study conducted by Google researchers concluded that “secret questions generally offer a security level that is far lower than user-chosen passwords.”
For one, many people use easy-to-guess answers that don’t even require careful snooping or hacking. It also uncovered a problem where people who lie about their answers later forget those made-up answers, making it more difficult for them to recover forgotten passwords.
Ultimately, the researchers say, “We conclude that it appears next to impossible to find secret questions that are both secure and memorable.” While Google research isn’t optimistic about these types of questions, they are still in use for many websites, so we need to adapt.
How to manage your security answers
How can you field these sorts of questions more securely without forgetting your fictional answers?
One solution is to use a password manager, which lets you use hard-to-crack passwords without remembering every one. Most password managers allow you to keep secure notes. This is where you can store your made-up answers.
If you’re not using a password manager, be sure you come up with fake answers you can replicate later. For example, if the question asks for your mother’s maiden name, you might instead use your grandmother’s middle name or a favorite celebrity’s maiden name.
If the site gives you the option to create your security questions, take advantage of that and come up with obscure questions that would not be easy to find by searching you out online or looking at your Facebook or Twitter profile.
You might go with something like, “What is the name of your imaginary friend from childhood?” or “What band poster did you have on your wall in college?”
Security questions may one day become obsolete, but in the meantime, it’s smart to take some steps to keep your answers as secure as possible. This one time, a little lying is perfectly acceptable.
Komando, Kim. “One lie security experts use all the time and you should, too” Komando.com August 8, 2020