Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
THOSE SECURITY QUESTIONS that ask you your mother’s maiden name or the first album you ever bought might not be as secure as originally thought.
Research from Google shows that for the majority of cases, your answers tend to be straightforward and are therefore insecure. The chances of attackers getting a question right in ten guesses or less are high considering how much information is publically available or are common for cultural reasons like a common family name.
Also, crowdsourcing services online means it easier to come up with better guesses to these questions and improves the chances of an attacker being correct.
On the other hand, coming up with fake answers can backfire since many who try this strategy use common words as answers, making it easier for attackers to guess the correct answer.
To give an example, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question ‘What is your favourite food?’ as the most common answer is pizza.
A similar problem occurs with harder answers since they’re more difficult to recall.
It’s probably unsurprising that the solution Google provides is by using SMS-based codes like two-factor authentication or to create secondary email accounts, both help with authentication and make it easier for users to regain access to their account.
To embed this post, copy the code below on your site
I tend to use random passwords for security questions and keep them in a password safe. A lot of services force you to create these “security” questions. What is your favourite pizza? tEzRxjSUttFkD8j2 with cheese
can I ask what online account you use that answer for?
no particular reason to ask, just… interested
Two step authentication can be a pain and if you’re in a shielded area or there’s no signal, it’s no use. There’s an authenticator app where you enter the code which changes every 60 seconds. I know Microsoft uses the three questions for changing security settings but try it from a strange location or IP address and it’ll shut the process down.
If you want security think of a happy memory and formulate a sentence about it, and write the sentence down. Recite the sentence while thinking of the memory. Now rewrite the sentence but capitalise the first letter and last letter of each word in the sentence. You can leave out if, at, but, etc. or you can enter a number or symbol for each one. You now should have a password that’s unique and only you know the algorithm. You can choose only first or last letters if you sentence is long. You can tweek the password for sites by adding an abbreviation at the start, changing double letters to symbols or numbers(symbols) are better. You can use upper/lower case, change letters to the corresponding number position in the alphabet, change an m to a w or whatever you feel is ok as long as you use association while you’re doing it. It seems a bit difficult but if you do it properly and follow the steps you will have a virtually unbreakable password. And you will be able to remember it
Favourite food? Shepherds pie, Yorkshire pudding and roast spuds :)
Wacky food combination :)
Hate pizza..
Beware of security gospel. There is a lot of BS out there.
It is, for instance, widely believed that adding special characters (!,£,$,%,&,@ etc) make your passwords more secure. The reality is that it depends where you put them. Replacing the letter a with @ and E with 3 will not protect you from a dictionary attack. Attackers just add all those other spellings of the words in their dictionaries.
A secure password is one that doesn’t obviously spell a word. Maybe memorise a string of 5 special characters and add them to the beginning, end or middle of a word you will remember. But writing “p@$$w0rd” isn’t going to protect you.
If you’re a car fan, old reg numbers from your past make great passwords – my master password for 1Password is based on an old seven-character reg, with an old bank PIN and some additional characters in there too.
Also, I have a special email address for password recovery on important email and e-commerce internet accounts – it’s not used for anything else, so hacking my regular email account won’t enable further account hacking.
my favourite food is a ice cream with cake on the side
Who’s going to try and hack my email anyway?
Oh dear.
Well, most people have other services, including those linked to credit cards, linked to their email account.
If I can get into your email account, I can access any other accounts you have linked to that email account via the “forgot password?” functionality.
There is a famous case of a reporter from Wired magazine who had his gmail account hacked. From there the hacker was able to access his apple, amazon and twitter accounts.
Have a read of this…
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
A simple way to avoid this is by setting up two-step verification. That way the forgotten password functionality requires, not only for you to respond to an email, but also to a text message.
have your say