Thursday, July 1, 2010

Lock it down: Good (and bad) security questions!

In order to retrieve your Pobox password, we ask you to answer (among other things) the security question you set up when you created your account. But are you using a good question? Your account is only as secure as your security question.

Pobox lets you specify the question yourself, so you don't have to use the classic "What is your mother's maiden name?" Fully 10% of Pobox customers use some variant on this question -- but research indicates it's not a very safe way to secure your account. (Neither is "What is my pet's name?", if you ever talk about or post pictures of your pet online.)

Your security question and answer can be updated at any time, so go take a look at what yours is. If you can use any question, though, how do you pick a good one?

1. The answer should be hard for someone else to find out. This is a security question, and knowing the answer to it provides access to your account. Like a good password, that means it should be hard for someone else to figure out. So, "What is my high school's mascot?" is not secure at all. "What was on the cover of my sticker book?" is much better (though using it would probably would still have let my sisters break into my account.)

2. The answer should be hard to guess. Any question where the answer is a month, a color, a day of the week, a number under 10 or basically any other limited list of answers is a bad question. "What month did I get married?" only has 12 possible answers. Same with "What color is my bedroom?" Unless you know you'll always remember the paint was called "Deep Sea Diving", guessing "blue" would only take 5 or 6 tries, max.

3. The answer shouldn't change over time. The Pobox default security question is, "What is your favorite book?" This is great for me -- my favorite book has been the same for 15 years, or as long as I've been using that as my security question! But, if your favorite book changes every few years, this might not be a good choice for you. Per question 2, "The Bible" would also be a bad answer to this question, because so many people use it. If the Bible is your favorite book, consider a different security question, or using your second favorite.

We have also had more than a few uncomfortable customer service situations over questions like, "Who is my lover?", with respondents having to go back to girlfriends 5 or 6 back to come up with the correct answer.

Another problem is that many, many customers find it difficult to answer their security question correctly. Also consider these factors when writing your question.

4. Write the question so it's easy to always give the same answer. So, "Who was my kindergarten teacher?" could be Susan Jones, Ms. Jones, or Miss Jones. "What was my kindergarten teacher's last name?" only has one answer -- Jones.

5. Give a real answer. Some customers will tell us, "Security questions aren't secure, so I just put in random letters and numbers as my answer!" That's great, if you're writing them down and keeping track of them, or using a password crypt like 1Password. But, if you just hit whatever random keys you like, and don't keep track of them, we have no way to confirm you are who you say you are. If you forget/lose your password, and need to gain access to your account, you have basically made it impossible for us to grant it to you.

So, what are some questions that are hard to find out, hard to guess, unlikely to change over time, but easy to always type the same? A good list of questions is different for everyone, but try one of these real questions on for size!


Who was your first crush? (unless the answer is "my spouse")
Who knit your baby blanket? (unless the answer is "my mom")
What was your childhood stuffed animal's name?


Another good choice is something that wouldn't mean something to someone else, but makes sense to you. So, for instance, I have a piece of furniture in my house. It's not a cabinet, it's not a table, it's not a buffet or a curio cabinet. It's something in between. So, I call it Joe. For me, "What is the furniture with a name called?" would be a good question, though you probably shouldn't use it yourself. One of the best security questions I ever saw was "Who has skinny feet?" I'm sure the person who used it could answer that question in a second, but it would be very difficult to guess if you weren't them.

Even if you're 100% positive you used an awesome security question when you created your account, go look at yours now, and make sure you know the answer. If you are using an insecure security question, change yours today. Though no one likes to believe that someone would want to crack their account, it can and does happen. Be your own best first line of defense, and make sure your security questions and passwords are strong and secure.

No comments:

Post a Comment