The average person thinks about password security only when they get a notification saying that one of their accounts was compromised or when they forget the current password and need a new one. Passwords and security questions form the first line of defense and have the role of protecting an account from intruders.
The chosen password – if generated by you – may seem solid as a rock, and that’s the way it should be because the more complex it is, the harder it is to crack that account. For self-generated passwords users may have their own secret recipes, which usually include some sort of emotional connection to something or someone.
For hackers who don’t know you personally, a password generated using this secret and unique recipe could be a hard nut to crack, especially if the password is longer than 12 characters and includes numbers and special characters.
But what happens when these unique recipes are so good that even the person who created it can’t get into the account? That’s where security questions come in, which are meant to be a reliable password recovery feature. For this purpose there are some personal things that you will never forget, such as your mother’s maiden name, your first car, or the city where you were born, and the like.
Given the deeply personal nature of these things such questions are supposed to protect the account as the answers are hard to guess for anyone who doesn’t know you, unless of course you foolishly publish such data publicly on various platforms such as Facebook and the like.
When Security Questions Fail
Things take on a different perspective when the ‘hacker’ of your online account(s) is someone that you know well. It could well be your intimate partner, who may know the answers simply because they have got to know the personal information that might come up in a security question.
Technology now allows the installation of ‘spouseware’ (sometimes called ‘stalkerware’) to monitor a partner’s smartphone without their consent. But even those who don’t go this far can still be tempted to access their partner’s online accounts to read messages and keep an eye on their other half’s online activity. Don’t expect these stalkers to ask their victims for their password since they usually hack into the accounts by guessing the password or using the security questions via the reset function.
Forget Security Questions
A group of researchers analyzed hundreds of millions of secret questions and answers used for account recovery claims at Google. What they found puts into question the entire foundation of security questions, discovering that such functions are “neither secure nor reliable enough to be used as a standalone account recovery mechanism”. The authors of the research – Elie Bursztein, Anti-Abuse Research Lead and Ilan Caron, Software Engineer – were able to use their findings to conclude the reason for security questions’ shortcomings: “That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember, but rarely both.”
It shouldn’t come as a surprise that easy-to-remember answers aren’t secure because they often contain information that is publicly available or within a small set of possible answers.
The more difficult an answer is, the harder it is for it to serve its purpose; it isn’t easy to remember the number of your library card, for example. This means the backup security won’t work and so you are locked out of your account.
While the obvious thing would be to add more security questions, the researchers found that piling them on makes password recovery difficult, even for rightful users who might ordinarily recall the answers in most cases.
What Can You Do?
As you can see, security questions are nowhere near to serving their purpose unless the answer is a lie. But this would mean that alongside the password you also need to remember the false answer, otherwise you’ll end up locked out of your account. This could act as an additional layer of security to address stalking from your partner (or, indeed, an ex).
Since the average U.S. internet user has more than 100 accounts, it is impossible to remember every password and security question answers unless there are being recycled. That, however, leaves you vulnerable to hackers because if they manage to get access to one account then these same passwords and security question answers can be used to enter other accounts.
To address the problem it is strongly encouraged to use a password manager, as it brings more than just the convenience of storing passwords. In addition to generating a unique and cryptographically secure password for each account such software will also store the security questions and answers associated with it. So those who might stalk you will have to first get past the security measures imposed by the developers of the password manager – and that could keep them busy for a while.
Best Password Managers of 2019