Wednesday, February 29, 2012

4 Tips for Answering Those Secret Questions on Internet Accounts

Woodchuck photo by Dan Dzurisin (NDomer73), found on Flickr, licensed via Creative Commons.

How much wood would a woodchuck chuck if a woodchuck could chuck wood?

Thanks to Time, I know that's one of the secret questions you can choose when signing up for Virgin America's Elevate program. And it's a whole lot better choice than most of the other questions, such as What is the name of the city where you were born? or What is your favorite color?

If you care about your security, you'll never want to answer a secret question, which can be used to retrieve or reset your password, with anything someone else can either easily guess or easily find out. How many people put their city of birth on a publicly available Facebook page?

And there just aren't that many colors that people are likely to name. In his book Perfect Passwords, Mark Burnett notes that "there are around 100 common colors, even considering colors such as taupe, gainsboro and fuchsia." Bruce Schneier says he can probably guess someone's answer to that question in "no more than five attempts."

Back in 2008, someone hacked Sarah Palin's e-mail; all he had to do was find out her birthdate, ZIP code, and where she met her spouse. He claims it took 45 minutes on Wikipedia and Google to find the answers.

As Anish Kumar writes: "Giving the user an option to guess the name of a pet or hometown in lieu of actually knowing a password dramatically shortens the odds for the attacker. The service is essentially telling the attacker: 'We understand that it is difficult to guess passwords, so let us help you narrow them down from potentially millions of combinations to around a dozen, or even better, if you know how to use Google, just one.'"

So how do you answer those secret questions? Here are some suggestions.

1. Use an algorithm.

Lifehacker reports on Danah Boyd's strategy:
The basic structure is:
[Snarky Bad Attitude Phrase] + [Core Noun Phrase] + [Unique Word]

Although these are not my actual phrases, let's map them for example:

Snarky Bad Attitude Phrase = StupidQuestion
Unique Word = Booyah

Thus, when I'm asked the following question: What is your favorite sports team?

My answer would be: StupidQuestion SportsTeam Booyah

2. Use the true answer — with some modification.

Lauren Weinstein has a number of suggestions for answering secret questions, including this:
One particularly useful technique is simply to add unrelated text onto the correct answers (ideally different at every site, but even using the same add-on string everywhere would be better than nothing within the context of secret questions). So for example, your first dog might be Manfred23Skidoo. Your favorite color could be blueRasputin. And so on.

3. Use a totally random reply. Consider writing it down in some non-obvious place.

Computer security expert Bruce Schneier wrote:
My usual technique is to type a completely random answer — I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password.
And Ferdinand J. Reinke commented on another post by Bruce Schneier:
My Mom's maiden name is 7DGG46QPK, FGAD4P3N, DKNNT4VKP C9HJLPQVK, or KEZNBF6N9 depending which of the sites I used it at. If a "secret question" is a password, then I say treat it as such with your favorite 12 random alphanumerics. Just don't tell anyone about your secret list. Memorization of passwords leads to forgetting. As long as I don't lose my little black book, I'm fine.

4. If you're allowed to select your own question, go that route. Choose one where only you will know the answer — and one that can't be easily guessed because the possible answers are limited. That can be a lot harder than you might imagine. I finally came up with one: What's the book Sarah gave me in high school? I bet even Sarah doesn't remember that — it's been over 35 years, and we've long been out of touch — and no one else would have a clue.

Related Post:
Organizing the Passwords


SMitch said...

The Prophet.

Jeri Dansky said...

SMitch - No, not The Prophet. If it had been, that would have been in the "too easy to guess" category. :-)