Cybersecurity Awareness Tip 21: Treat Password Reset Security Questions Like Passwords
Many banks, credit card providers and other financial institutions use modern methods like multi-factor authentication for resetting passwords. But some accounts still require users to provide answers to security questions to reset passwords, and others, like Apple ID, are transitioning from security questions to multi-factor authentication.
Assume Your Personal Information Has Been Compromised
But knowledge-based authentication has been widely abused by hackers. David Kernell, son of a longtime state representative and then a college student, used publicly available information to gain access to then-presidential candidate Sarin Palin's email. Kernell was convicted and sentenced to a year and a day in federal prison, but the damage was done. After multiple data leaks, Facebook warned it's 2 billion users to "assume malicious third-party scrapers have compromised their public profile information."
Minimizing the Risk of Security Questions
To minimize the risk of password reset security questions and other knowledge-based authentication:
- Be less social (provide less information on social media)
- Use secure options or complex fictitious answers to secret questions
- Choose open-ended questions / avoid questions with limited choices (i.e. avoid "favorite" or similar questions, surveys, etc. that are easy to find online or to guess)
- Save the answers to "secret" questions used to reset account passwords securely in your password manager.
Resources
- 10 Most Common Password Security Questions
- Security Questions Are Insecure: How to Protect Your Accounts
- Security Question and Answer Tips
- Top 10 Ways That Hackers Use To Hack Facebook Accounts
- The Password Questions You Should be Answering