Technical Insight

Good Security Questions vs Social Media

I saw another meme go by on Facebook. This one challenged everyone’s memory to name all their Elementary School teachers. And I had more than ten friends participate, which resulted in me yelling at my computer screen again.

People, people – did you learn nothing from my Danger Memes blog? But people do not understand WHY some of these memes exist, so I’m going to unravel two more for you in the hopes that you’ll stop being shocked when hackers PWN your email, social media, bank accounts, etc. If you use a password based on your pet, your kids or other loved ones, your birthday, or your social security number, you’re begging to be hacked. But what about your security questions?

I don’t know about you, but I fat finger my passwords all the time. I’ve hit the Forgot my Password more often than I care to admit, especially on older sites I haven’t been to in a while. (This can include 401(k) programs from previous employers, pension plans, insurance sites, and more.) I have had a lot of Security Questions asked of me. My answers trend toward the bizarre WHENEVER THEY CAN.

Let’s talk about back-up authentication methods, i.e. password recovery. It is a common, and very reasonable practice, to create a series of security questions to prove that you are you, just like captcha proves that you are not a computer. These are excellent practice; however, organizations who enable them may not have best methods of security in mind – especially coded challenge/response combinations from years ago. Let’s face it, security changes rapidly these days with the ability to mass collect and process personal information.

It’s true, sometimes the security question options are limited. This is me advising both organizations and their DevOps on how to pick good security question options, and you the consumer how to select from their list of questions and then not give your answers away freely on Facebook.

For DevOps: What are the qualities of a good security question? Good questions produce answers that are safe, stable, memorable, and (more important for your cost in resetting) are simple, and have many possible answers to resist brute force guessing. Good questions might be:

  • What was the first name of the first person you held hands with romantically?
  • What movie did you go see on a romantic date?
  • What grade were you in for your first ever kiss?

Dodgy questions are the ones we’re seeing on social media:

  • What is the name of your favorite football team?
  • What was the first rock concert you ever attended?
  • What is your favorite color/fantasy animal?

Really bad questions are items which could be looked up without interaction:

  • What is your mother’s maiden name?
  • Where did you graduate High School?
  • In what year was your father born?

If you’re a developer putting together an authentication security challenge, please keep these principles in mind. Be creative in your questions!

But you, my darling consumer friends, need to stop with the memory memes on social media. I saw one recently which showed you how to create your fantasy name by using the first three letters of your mother’s maiden name, with the last three letters of your father’s middle name. What’s the harm? You ask me this, when I beg of you to reconsider participation.

The harm is a computer’s ability to look up partial words. To take the fantasy dragon meme apart: Smy/ter Jea/kin. What a great name for a book dragon – or Smy….Smythe? ter = Peter? Jean = Jeannie? Kin = Aikin? Millikin? By letting the computer know some of the letters in order, you’re making the time to guess reduce from thousands of minutes to less than one, when thumbing through human nomenclature in a guessing algorithm.

If I cannot convince you to lock down your Facebook to Friends Only, please at least cease with providing the world with the answers to your security questions for free. Because when you put some of them out there, you likely didn’t have all these good/bad questions in mind. Trust me, we know who your favorite teams are already. Click bait “tell-me-about-myself” memes were created for one of two purposes – to gain information about you as a user for attack purposes, or to lure you to external websites for marketing or malvertising purposes.

It’s about privacy and security. Guard yours on social media.