Your Password Recovery Questions Are Insanely Easy To Hack—and You Might Be to Blame
Lucky for you, we turned to the experts for tips on fixing them.
When a hacker claimed to have breached Mitt Romney’s personal email account in 2012, he didn’t do it by infecting his computer with a data-leeching virus or by launching a brute-force password cracking attack—he did it with the word “Seamus.”
Seamus was the name of Romney’s dog, and apparently the answer to his password reminder question, “what is your favorite pet.” Because Romney’s email address had been made public in a news story several days earlier, and the doggo-in-question was the subject of an unfortunate media scandal for having been strapped to the roof of the family car during a 1983 road trip, the alleged hacker had everything he needed to exploit a notoriously weak gateway to password security: the password recovery question.
While setting a password reminder question is a fine idea in theory (so many passwords, so little mental space!), it has probably encouraged you to make your password overly vulnerable. The simple truth is that in our age of social media over-sharing it is far too easy to suss out anyone’s answers to the question “where did you meet your spouse,” or “what is your mother’s maiden name.” If you have a public Facebook, Twitter, or Instagram account, you also have a dossier of clues for would-be hackers to peruse at will. Many security industry professionals wish the password reminder question would be outright abolished from account setup, but until that day comes, what can you do to work with the system and keep yourself secure?
For one thing, pick a harder question. A Microsoft and Carnegie Mellon study found that the safest password reminder question may be “What’s your father’s middle name,” as it’s easy to remember, hard to guess, and unlikely to be public knowledge on the Internet. (Other safe-ish questions were, “What was your first phone number?,” “Who was your favorite teacher,” and “Who is your favorite singer?”)
Some experts recommend answering the question with a non-sequitur (What is your mom’s maiden name? Platypus). But even a random, one-word answer is vulnerable to a brute-force hacking attack designed to rapidly guess every combination of letters and numbers in sequence.
No matter which security question you go with, your best bet is to treat it like another password—a long string of letters, numbers, and special characters that could not be guessed or divined from a cursory glance at Facebook. Use a full phrase instead of a single word. Need an example? If you pick the question, “what was your first dog’s name” a strong answer would be “[email protected]@lled!”.
Make sure you use a unique answer for every account that requires a reminder question, and log them in a password manager alongside your other passwords. Of course, this is all moot for the estimated 17% of Americans who secure their data with the password “123456.” But progress happens in baby steps (just maybe don’t use your baby’s name as your password reminder answer).