Protect Your Passwords, an Encore Performance

A while back I mentioned that if someone got hold of your email password, that all your other passwords, no matter how cryptic or “safe”, would soon follow. To recap, it goes like this: If someone can get your email address, they can go to every bank and hit “reset my password” and get to the automatic email before you do.

A friend of mine recently put up a post that reminded me of another way hackers can get into your accounts (including primary email), one that I’ve been meaning to mention. You know those security questions they ask you, so they can confirm your identity? Those questions aren’t very secure. Questions like, “Where did you go to elementary school?” Pretty easy to find out stuff like that these days.

Say I want to hack into a celebrity’s yahoo account. I just need to answer a few questions, most of which are probably answered in imdb. Then I’m in. There’s a GQ article linked in my friend’s post that illustrates just how easy this all is.

The problem is, lots of places force you to set up these questions – making it mandatory that you provide a huge hole in your own security. A lot of people call these “insecurity questions”.

Security questions can work, but only if you choose to answer them incorrectly. Where did I go to school? A fish. What was the name of my first pet? 4e$RE*Plaster. Of course, in the rare event that I actually need to be able to answer the questions, there’s no way I’m going to remember what I said the first time.

While pondering that I had a thought for a method of answering these questions, one that removes any worry about remembering much of anything. Let a machine do the work. Imagine if you could select the question with your cursor, push a button, and paste your own personal complete gibberish into the answer field. Then, whenever confronted with the same question, you can generate the same gibberish. No remembering and no chance of anyone ever guessing your answers.

This would actually be pretty easy to do. It might even just take GnuPG and a bit of scripting. All it has to do is take the selected text, add a little secret extra bit that you set, then put the MD5 hash onto your pasteboard. It would be better as a browser plugin, so it was ready and waiting whenever you needed it. A little gizmo like that could go a long way toward tightening up one of the biggest security holes in the interwebs.

I’d build it except for two things: I just don’t have time right now, and a major technology company would end up owning it.

While we wait for someone to step up and build that little beauty, take a moment and reset your “insecurity questions” to something no one can guess. Perhaps for each question that asks for a name, you have one ridiculous answer (that you never tell anyone) and for locations you have another, and so forth. It’s not as good as a different answer for every site (who knows how securely each place stores them?) but it’s a hell of a lot safer than the truth.