In the past few years I have noticed the increased use of security questions. It's really a bummer. Not only is it time consuming, but security questions decrease account protection. Here's how:
I just signed up for a new Verizon DSL service when I really want FiOS. On signup I was asked to create a password with certain properties... capitalize, numbers, special characters, between 8-20 characters, etc. and to choose a security question. These are the options:
- What was your favorite place to visit as a child?
- Where did you and your spouse first meet?
- What was the first live concert you attended?
- What is the first name of your best friend?
- What was the first name of your first roommate?
- What is the name of a memorable place?
- What was your favorite restaurant in college?
Now let's put ourselves in the mindset of someone trying to gain access to my Verizon account. Black beanie with a striped shirt...check.
Questions 1, 2, 3, 4, 5, and 7 are all easily discovered by looking up Alex Waters' Facebook account. It's even easier if the target was born after 1995 and has been collecting a treasure trove of personally-identifiable-information (PII) on social media accounts. A lot of PII is publicly available, but when private -- it's very easy to fake a Facebook account with photos of a hot lady or dude in order to gain access to targeted data.
Sidequest: Friend requests from strangers with attractive photos should not be trusted. They just want to steal your personal information.
If security question answers can be found: then they are not very secure.
This is precisely how Bitinstant was hacked for a large amount of money in 2013.
You can protect yourself by not answering security questions. Use a password manager (like keypass or onepass) to generate a new password. Then use that as the answer to the security question.
If you aren't using a password manager to generate complicated passwords: your accounts are probably already compromised.
I know this is a major pain in the butt, but it is better than having strangers in your accounts doing whatever they want.
Note to web developers: Please stop using security questions in your applications. They make your user accounts less secure. I hope that in the future we will use dedicated devices for private-key message signing instead of passwords.
Edit 4/23/16: Check out ClearChat