The Hulk Was My Best Friend As A Kid: Advice on Answering Security Questions

The Hulk Was My Best Friend As A Kid: Advice on Answering Security Questions

Or was it Superman? Did my article title catch your attention? You might be wondering who my best friend was growing up, or asking yourself why I am talking about this topic in the first place. It's because information security still relies on answers to questions like "Who was your best friend growing up?" and this common practice may leave you vulnerable to someone compromising your account.

Purpose Behind Security Questions

Security questions provide another factor when logging in. The first factor is your username and password. The next is the answer to a security question. The hypothesis is you are the only one who should know the answer to these questions. With two or more successfully validated factors, you obtain access to your account.

The development of this concept originated before social media was prevalent. In the 90s and early 2000s, people did post some information about themselves in blogs and chat rooms, but, it seemed, individuals were more private about what they disclosed. The birth of social media disrupted individual's privacy: the sites collected information, and individuals voluntarily disclosed it too. Individuals started revealing answers to security questions inadvertently.

A Faulty Factor

Here is a hypothetical situation: someone tags a grade school teacher on a social media site. Both users have hundreds of followers, and one of them has posts public to the entire Internet. The first user tags the teacher on a post stating, "What an amazing teacher. My favorite." Now the whole Internet can see the post declaring this teacher to being the first user's favorite teacher.

It would not be difficult to deduce that the teacher is the user's favorite grade school teacher. That teacher might have a profile on a job site or professional networking site, with a version of a resume listing all the job titles throughout the career. The social media site might contain the first user's birthday or age. Someone can now correlate the user's age with the teacher's job title around the grade school age. The answer to "Who was your favorite teacher in grade school?" is known.

An Approach to Answering Security Questions

You may or may not have posted such information on your social media accounts, but your friends and acquaintances might have. Your information security is only as strong as your weakest link, and your social connections introduce probable weaknesses. Therefore, answering security questions different than the actual answers might prove beneficial.

You can use a theme when answering all security questions. Most online accounts that still use security questions require a minimum of three to five answers. You provide all using the names of your favorite superheroes or flowers.

For example:

Q: What is the name of your favorite teacher?
A: Tullip

Q: What is the name of your favorite pet?
A: Dandelion

For additional security, you could treat the answers as a password by using a mix of characters.

For example:

Q: What is the name of your favorite teacher?
A: +ull1p

Q: What is the name of your favorite pet?
A: D@ndel10n

For even greater security, you can use a passphrase to make it more difficult to guess.

For example:

Q: What is the name of your favorite teacher?
A: Purpl3 +ull1p

Q: What is the name of your favorite pet?
A: D@ndel10n Fuzz

You can build a lookup table of answers to security questions. The list of security questions is somewhat similar on all websites. You can find list of common security questions on the Internet.

Conclusion

Someone can discover the answers to security questions using open-source intelligence (OSINT) from social media sites. You might want to answer them truthfully. Consider using an answer theme, a mix of characters, and multiple words in your answers, and create a lookup table.

Before you go

About the author


Originally published on Secjuice.com

Image by Gianluca Gentile on Dribbble

Did you find this article valuable?

Support Miguel A. Calles MBA by becoming a sponsor. Any amount is appreciated!