In the past few years I've noticed the increased use of security questions. And it's really a bummer. Not only is it time consuming, but security questions decrease the actual security of a user account. Here's why:
I just signed up for a new Verizon DSL service when I really want FiOS (don't get me started on the FCC and the corruption re: ISPs but that's a separate issue). On signup I was asked to create a password with certain properties... capitalize, numbers, special characters, between 8-20 characters, etc. and also to choose a security question. Here are the options presented:
- What was your favorite place to visit as a child?
- Where did you and your spouse first meet?
- What was the first live concert you attended?
- What is the first name of your best friend?
- What was the first name of your first roommate?
- What is the name of a memorable place?
- What was your favorite restaurant in college?
Now let's put ourselves in the mindset of someone trying to gain access to my Verizon account. Black beanie with a striped shirt...check.
Questions 1, 2, 3, 4, 5, and 7 are all easily found by looking up Alex Waters' Facebook account. It's only easier if the target was born after 1995. It's almost guaranteed that the victim has been collecting a treasure trove of personally-identifiable-information (PII) if they're between the ages of 10-20. And then in many cases making it publicly available, or if not, it's very easy to create a fake Facebook account with a profile picture of a hot lady or dude and send a friend request.
Sidequest: For those wondering, when you get those Facebook friend requests from strangers with attractive photos... they are not into you, they just want to steal your personal information and sell it or use it.
If the security question answers are pretty easy for anyone to find, that's not very secure is it?
In fact, this is precisely how Bitinstant was hacked for large amounts of money back in 2013.
Here's what you can do to protect yourself... don't answer security questions. Use a password manager (like keypass or onepass) to generate a new password. Then use that as the answer to the security question.
If you aren't using a password manager to generate complicated passwords, your accounts are probably already compromised.
I know this is a major pain in the butt, but it is better than having strangers in your accounts doing whatever they want.
Note to web developers: Please stop using security questions in your applications. They make your user accounts less secure. Ideally we will all be using user device private-key message signing instead of passwords, I'm looking forward to better UX there anyway.
Edit 4/23/16: Check out ClearChat