How effective is your strong password if an identity thief can change it themselves? Plenty of attention has been given to helping find ways to generate stronger passwords--avoiding birthdays, pet names, phone numbers, and of course, the list of the most popular, such as "password", "love", "hope", etc. But now that users are starting to make their passwords harder to guess, identity thieves are turning to a new weapon—the secret question.
For years about the only “secret question” that consumers would face would be “mother’s maiden name”, used almost exclusively by credit card companies. With the advent of the information age, most online sites now offer secret questions as an easy means to reset a forgotten password. Maybe you can’t remember that excellent, random string of characters you used to create your login, but that’s why they ask you things you are sure to remember, like “your first car”, or “your high school mascot”. Once you verify that, you get to create a new password, bypassing the forgotten random string of characters that made up your strong password.
Unfortunately, this also allows would be identity thieves access to your accounts. In a time when social networking sites such as Facebook or Twitter allow us to report about every bit of minutia about our lives, the information that would normally make up a “secret question” is not so secret at all.
This recently came to light when I was talking with my brother, who was trying to prevent my mother from joining Facebook because, as most Facebook users seem to do, she would include her maiden name so people could find her. And of course, that gives everyone access to his credit cards. At which point I asked him, “Why don’t you use our paternal great-grandmother’s maiden name instead?”
The key to the secret question is that it is designed to stir your memory when you can’t recall a password, and to insure that you are you. The problem is that most of them involve facts that are easily discovered. Your Facebook or Myspace page may list your alma mater and a few seconds on a search engine will pull up “Badgers” as your high school mascot. An enterprising identity thief may track down your childhood address. The nostalgic blogpost that you put up two years ago reminiscing about your first car is still cached somewhere, if not connected to your site. And even if you are guarded with your own information, there is nothing to say that someone can’t go poking around your siblings’ pages to find the name of your old family dog.
My suggestion is to take the secret question and forge something that you know, which is consistent, and use it across all of the sites. Most of them allow you to select from a number of different questions, but they simply record the question and your response. So if you’re a fan of seafood, you can make “halibut” the answer to your secret questions. It doesn’t matter if your bank asks you for your favorite movie, your webmail asks you for the street you grew up on, or your job search website asks you for the model of your first car. The answer to all of those can be the same large flat fish.
So long as you can remember what the answer to your secret question is, picking something random which has no relationship to the question actually being asked gives you an opportunity to have a second layer of protection. And unlike regular passwords which can be subjected to “brute force” or dictionary attacks, secret questions are typically very limited in terms of how many times they can be answered incorrectly.
And if your credit card company is still asking you to supply your mother’s maiden name, remember that the only way that they got it in the first place was from you. Go ahead and tell them Caesar or Einstein; as long as you are consistent, it doesn’t matter what you say.