Protect Your Passwords, an Encore Performance

A while back I mentioned that if someone got hold of your email password, that all your other passwords, no matter how cryptic or “safe”, would soon follow. To recap, it goes like this: If someone can get your email address, they can go to every bank and hit “reset my password” and get to the automatic email before you do.

A friend of mine recently put up a post that reminded me of another way hackers can get into your accounts (including primary email), one that I’ve been meaning to mention. You know those security questions they ask you, so they can confirm your identity? Those questions aren’t very secure. Questions like, “Where did you go to elementary school?” Pretty easy to find out stuff like that these days.

Say I want to hack into a celebrity’s yahoo account. I just need to answer a few questions, most of which are probably answered in imdb. Then I’m in. There’s a GQ article linked in my friend’s post that illustrates just how easy this all is.

The problem is, lots of places force you to set up these questions – making it mandatory that you provide a huge hole in your own security. A lot of people call these “insecurity questions”.

Security questions can work, but only if you choose to answer them incorrectly. Where did I go to school? A fish. What was the name of my first pet? 4e$RE*Plaster. Of course, in the rare event that I actually need to be able to answer the questions, there’s no way I’m going to remember what I said the first time.

While pondering that I had a thought for a method of answering these questions, one that removes any worry about remembering much of anything. Let a machine do the work. Imagine if you could select the question with your cursor, push a button, and paste your own personal complete gibberish into the answer field. Then, whenever confronted with the same question, you can generate the same gibberish. No remembering and no chance of anyone ever guessing your answers.

This would actually be pretty easy to do. It might even just take GnuPG and a bit of scripting. All it has to do is take the selected text, add a little secret extra bit that you set, then put the MD5 hash onto your pasteboard. It would be better as a browser plugin, so it was ready and waiting whenever you needed it. A little gizmo like that could go a long way toward tightening up one of the biggest security holes in the interwebs.

I’d build it except for two things: I just don’t have time right now, and a major technology company would end up owning it.

While we wait for someone to step up and build that little beauty, take a moment and reset your “insecurity questions” to something no one can guess. Perhaps for each question that asks for a name, you have one ridiculous answer (that you never tell anyone) and for locations you have another, and so forth. It’s not as good as a different answer for every site (who knows how securely each place stores them?) but it’s a hell of a lot safer than the truth.

3 thoughts on “Protect Your Passwords, an Encore Performance

  1. Does any technology you build pretty much get taken? Is it because of employer?

    It’s interesting, I put a fake birth year on my facebook profile, but then started getting apprpriate advertising for early 80s yearbooks. I wonder if it is connected to being involuntarily joined to the lahs82 FB page.

    So yes I guess security questions can be easy to ape.

    Good advice here.

    • I’ve had to sign similar contracts in the past, for other companies as well. It says, pretty much, “Anything you make that we might also make belongs to us.”

      It is possible to submit paperwork before starting development and getting permission from the company. Also, I have declared that Jer’s Novel Writer was done before I worked for them. To keep developing I need to submit more paperwork, but in the case of something that has a long history that’s more of a formality.

      The birthday advertising could easily be from the class reunion page. I’ll have to go onto Facebook one of these days and see what I get, and also to check what info I have in there that’s still correct.

Leave a Reply

Your email address will not be published. Required fields are marked *