Insecure Security Questions: They Are Everywhere

Have you heard about how Sarah Palin had her email hacked? The same thing happened to me, and it was also on yahoo. In this article I am going to talk about securing that insecure back door. That door consists of the security questions that are used to recover your lost or forgotten password.

Insecure Questions.

First, let me explain what I call insecure security questions. Any security question that has the answer recorded somewhere. If there is a record of it, then it is insecure. It does no matter if the answer is locked away for private eyes only. Also, things that are common in conversation. If it is talked about often, then anyone can get it from you by conversation, or even forum posts. One more thing that makes a question insecure, is the amount of possible combinations. Like colors, which have about 16 combinations, and even places like the hospital you where born in. I know in my area there are only two hospitals to choose from.

Here is a list of some insecure security questions. These are for examples only, and there are probably a huge amount more.

Question one, "What was the color of your first car?" That is an easy to get answer. I could just start a conversation and ask you. Or I might even get some car history and find out. It is not a secure question, because it is recorded somewhere. Ounce I have seen all the titles you have held, I just find the one with the earliest date. Another problem with this question, is the amount of colors to pick from. With about 16 different colors to try, I will have your password. This does depend on what your answer is, and I can think of some answers that can not be guessed by trying all combinations.

Question two, "What was the name of you mothers maiden name?" I think this should be on the list of the weakest security questions. Anyone can browse birth certificates, and also browse them online. I was ounce trying to find a family member about two years ago. I was browsing birth certificate records online, and at a government web site. This is insecure information.

Question three, "What school was your elementary school?" This is another very weak question. I believe it would be easier to find out what school I went to, then browsing birth certificate records. This is another example of an answer that has a small number combinations. Even if you moved from school to school during that time, the combinations are not that many. Someone might be able to trace your records, and try each combination that way. I understand that your school records are sealed, but I think anyone can find out what school you attended.

Question four, "What is the first name of your grandfather?" Please, this is even easier than the ladder three examples. I can get this information from birth certificate records, and also by just knowing you. It can be brought up in a conversation, and I would not have to talk with you.

Question five, "What is your fathers middle name?" Same as the last sentience. I just need to talk to someone and get a conversation going. I would not have to talk with you if you have other family members. I could probably just ask your father. I might even be able to find it in your name. This one is easy to get from birth certificate records, and that is where I would go first.

Securing those insecure questions.

The first option that I suggest trying is using your own custom question. If you are attempting to secure one of those sites that does not allow your own custom question, and that also have a list of insecure easy to get questions. Then what you need to do is choose answers that do not match the question.

Take a look at this question and answer, "What was the color of your first car?" Answer, "George Watch out!" It would be a waste of time for someone to attempt all the color combinations. Because the answer is not related to the question.

One more example, "What is your fathers middle name?" Answer, "I want secure bank questions." The answer is not something that fits the question. I could go through all the birth certificate records, and try all the names that I get. I could also try capitalization combinations. But because the answer is not what my fathers middle name is, it can not be hacked this way. The answer is not a name at all, so just trying names is a waste of time.

Closing words, and another insecure question format.

The last insecure format I want to say, is using my questions and answers as a template. Such as using my example of, "What is your fathers middle name?". That would be something to try out, to see if someone copied my example letter for letter. It needs to be original, and not related to the question. Not on opposite either, because that would be a hackers guess.

If the questions have answers that would be strange in a conversation, I think this would make it even more secure. For example, "Where is your great grandmother buried?" If someone was talking to me about that question, then I would find that strange. Then I would realize it is my security question for so and so. I could then change the subject, or ask my own questions. That question is not secure, it's an example of a strange topic.

My idea of a secure security question, is one with the answer that is not recorded anywhere. And a question with an answer that should not be in a conversation. When dealing with those accounts that have insecure security questions, using bogus answers would make them secure. This would probably make them more secure then the ones with unrecorded answers. It would be like a second password, and not really a security question.

I came up with this article because my yahoo.com account was taken. I then later found out that Sarah Palin had the same thing happen. She was hacked in the same way I was. After discovering how I was hacked and then reviewing my other accounts. I discovered how weak those security questions can be. Thanks to God that my yahoo account was stolen, and I was able to secure the other back doors.