There have been a number of high profile account compromises due to the insecurity of password reset questions. Examples of two big ones off the top of my head are Sarah Palin Yahoo account compromise and the Twitter “Hacker Croll” fiasco. There have been many more compromises on accounts due to weaknesses in password reset questions, even if they are rarely as publicized in the main stream media like the previous two. The attacks are basically the same – primary e-mail accounts are typically secured by password, and the password can be changed by entering an answer to a password reset question.
Both of these account compromises were caused by weak password reset questions. And although Palin certainly was/is a high profile account, the Twitter compromise was caused by a low-profile IT Administrator who happened to store sensitive company documents in their Google Docs folder. This goes to show that everyone, from the CEO of a large company, to a low-level system administrator, is accountable for the security of their accounts.
Sample (bad) Password Reset Questions:
Many e-mail accounts use a typical range of password reset questions:
- What is your mother’s maiden name?
- What was your first pet’s name?
- What is your favorite sport?
- What is your oldest daughter’s name?
- More Questions
Even questions regarded as “Good” on this list are easily guessable if you have access to the social networks of an individual. For example: What is the middle name of your youngest child? What is your oldest sibling’s middle name? Answers to these questions often appear on Facebook or other social media websites.
After coming up with the idea to write this article, I took a look at my own email account password reset question. It was set to my Father’s middle name. I had probably set this when I first signed up for a beta account back in 2005 or so – I was not in the mindset that it would become my primary account and also be the gateway to a bevy of information. As with many folks, when I sign up for a new account on a website, it will often e-mail me my account information (including my password, boo!) to my e-mail account. And, as I suspect with most people, I do not follow best practices and use a different password for each account. Not to mention that many other accounts will send an email to your account on file in order to reset their passwords. Therefore, since not only the main account password at risk, there is a lot riding on the security of your email account. If someone can gain access to your email account, they also gain access to a lot of frequently used passwords and accounts. Domain hijacking has occurred using this method.
The first step is that password reset questions must not be answerable by information available via social networking sites. For someone who is very active in social networking, this might be hard to come up with at first, but really is not hard.
A good password reset question is:
Not easily guessable from online or offline sources (secure)
Stays the same over a long period of time (stable)
Is readily recallable by authoritative person (obtainable)
Has only one answer (definitive)
My source for questions that satisfy these metrics is my wallet. I look for cards that have information that will stay the same for a long period of time, for example, a driver’s license, library card or other membership card.
You can then reset your password question to a value on those cards. If the site does not let you ask your own password reset question, you might try to replace a common one, such as “mother’s maiden name” with this. Just be careful you don’t get too tricky, or you might forget the correct question/response to the answer and lose access to your account for good.
For a sample answer, you might use the first 5 digits of your driver’s license ID, plus the last 6 of your gym membership card. Really you can use any information that you want that you do not share on social media websites. Just make sure they follow the four guidelines above.
Do you have any tips for a good password reset question?