// more // // ethical hacking philosophy // // about me // // ask a question //

Passwords, Secret Questions, and the Not-So-Secret Answers

I'm sure that if you've found this page, you're sure to have at least a half-dozen Internet accounts. My question to you is... how secure is your account?

In the event that I forget my password, I would really feel better if I always got a password reset link sent to the email address on file. Heck, I'd even settle having to click that link, then answer the "secret questions".

That brings me to another flaw in account security... the so-called "secret questions" with "secret answers". How many times have you seen the following?

What's your mother's maiden name?
What street did you grow up on?
What's your father's middle name?
Who was your favorite teacher?
What was your high school mascot?

Things like this infuriate me, especially on sites that only require you to answer one or two of these to unlock your account or change your password. To make matters worse, they never email you to let you know that your account has been changed or breached! They don't let you choose a username, they require you to use your email address. With social networking sites like Facebook and MySpace, a few mischievous friends, or a nasty ex, what's to stop them from taking over your account?

I'm sorry guys, but there is really nothing too secret about those questions. The answers can be gleaned from many public sources that are wide-open to the masses. Any goon with a knack for finding things on Google that's capable of cross-referencing materials could essentially take over your world if that's the best security you've got!

In my own attempts to be more secure, I've used my own "secret word" as an answer to all of these goofy questions. The word is easy for me to remember and there's not one ounce of truth to it; in fact, it's not even a word! That plan worked out well until I found some sites were getting wise to it and raising the bar.

One financial institution wouldn't allow me to use my word for each answer. No! They wanted each answer to be unique. I tried just adding a number to the end, but then I found that they would present me with different questions on each login to verify my identity. I found it incredibly difficult to keep track of the order that the questions were asked in, so I have devised a new scheme to the madness of these questions and the lack of security that they impose.

In my new scheme for the not-so-secret questions, I answer each one truthfully and suffix it with my "key". My key is a password only known to me that I'll never write down or save anywhere. You might choose to prefix your not-so-secret answers or use both a prefix and a suffix, the choice is yours. You may choose to make it as simple as a PIN or as complex as a DoD password, the choice is yours, but I offer this food for thought:

Some sites will limit the length of a secret answer
Some sites will not allow you to put non-alpha-numeric characters in your answers
Make up a word like you did as a kid
Take a word and translate it to another language
Devise your own form of l337 speak to be used for use in your key
Do not use birthdays, anniversaries, names of family members or pets, phone numbers, addresses, or social security numbers