How to increase account security: don't answer security questions.

In the past few years I have noticed the increased use of security questions. It's really a bummer. Not only is it time consuming, but security questions decrease account protection. Here's how:

I just signed up for a new Verizon DSL service when I really want FiOS. On signup I was asked to create a password with certain properties... capitalize, numbers, special characters, between 8-20 characters, etc. and to choose a security question. These are the options:

  1. What was your favorite place to visit as a child?
  2. Where did you and your spouse first meet?
  3. What was the first live concert you attended?
  4. What is the first name of your best friend?
  5. What was the first name of your first roommate?
  6. What is the name of a memorable place?
  7. What was your favorite restaurant in college?

Now let's put ourselves in the mindset of someone trying to gain access to my Verizon account. Black beanie with a striped shirt...check. 

Questions 1, 2, 3, 4, 5, and 7 are all easily discovered by looking up Alex Waters' Facebook account. It's even easier if the target was born after 1995 and has been collecting a treasure trove of personally-identifiable-information (PII) on social media accounts. A lot of PII is publicly available, but when private -- it's very easy to fake a Facebook account with photos of a hot lady or dude in order to gain access to targeted data.

Sidequest: Friend requests from strangers with attractive photos should not be trusted. They just want to steal your personal information.

If security question answers can be found: then they are not very secure.

This is precisely how Bitinstant was hacked for a large amount of money in 2013.

You can protect yourself by not answering security questions. Use a password manager (like keypass or onepass) to generate a new password. Then use that as the answer to the security question.

If you aren't using a password manager to generate complicated passwords: your accounts are probably already compromised.

I know this is a major pain in the butt, but it is better than having strangers in your accounts doing whatever they want.

Note to web developers: Please stop using security questions in your applications. They make your user accounts less secure. I hope that in the future we will use dedicated devices for private-key message signing instead of passwords.

Edit 4/23/16: Check out ClearChat