Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Wednesday, April 20, 2011

Password Security Questions Suck

My mothers maiden name was Sullivan, my first pet was named Snoopy, my fathers middle name was Joseph and I was born in Schenectady, NY. I can tell you because I would never use real answers in any so called security questions.  While it’s handy when forgetting your password it’s the easiest way to have your password reset and stolen.

Yes, companies still use these questions with answers that are publically available and having numbers, letters and special characters in your password won’t help you. Truth is programs that keep trying different word combinations are obsolete. Your password will most likely be incorrectly stored and stolen by someone you do business with or figured out using data in the password security or “challenge” question.

Remember when Sarah Palin’s Email was compromised? It wasn’t some brilliant hacker, it was someone who Google’d where Palin attended high school.

So are there really companies that still use predicable and lame questions? I won’t say who but the following were actually from a banking site.

question1

question2

question3
question4
And people wonder why I don’t list my birthday on Facebook?

The Results
So what typically happens when someone get your Email and password?
First it’s usually not personal. Once your Email is compromised it’s entered into an automated program. The program will log in and collect all the names and Email addresses from your contact list. It could be on AOL, GMail or Outlook; your address book is easy to access programmatically.

It won’t be long before the program breaks up your contacts and sends them all an Email with either a link to malware or something as benign as an advertisement for Viagra.  It could just be an ad because these guys could be earning a couple cents for every view. Since it’s all automated it could add up to thousands of Euro a month.
viagra

Two things will happen next. Half of your friends may contact you to let you know you’ve been hacked.  The other half will click the link and ask why you sent them to a Viagra site. You’ll be very surprised by how many people click on the link because it came from someone they trust.

Obviously, the first thing you’ll want to do is change your password. After that unplug from the internet and run scans from any security program you’ve ever installed on your computer.

You’ll be very embarrassed because the Email will go to people who you still have on your contact list but aren’t close friends. You may feel violated. Don’t be embarrassed. It can happen to anyone and it does. Just think about it the next time you provide answers for security questions. Come up with out of the ordinary answers that you’ll still remember.

Q: “Where were you born”?  A:”In bed”
Q: :What’s your mothers maiden name”?   A": “Miss”

And if one of your friends send you an Email with just a link, send them here to read BitsFromBill.com.

Share on Facebook


5 Comments:

Blogger Unknown said...

Or, do what I do. Use nonsense responses to those stupid qiestions and use LastPass to store it all. It's encrypted locally so LastPass, even if breached, can't leak your information. No, I have no monetary or other interest in LastPass except that I am a Premium customer. Even Steve Gibson uses LastPass. What better testimony do you need? I have hundreds of passwords and challenge answers. LastPass works for me on Android, Windows, Mac, Blackberry and WebOS. In fact, I use it with a Ubikey. It's a shame we honest folks have to jump through these hoops to be secure. Maybe someday someone will come up with a better method. Meanwhile, LastPass is my solution.

7:07 PM  
Anonymous Joe said...

Good point Dan. I use RoboForm to do the same thing. RoboForm stores all your information locally on your PC, not in the cloud like Lastpass, which is more secure. That's why I tend to like RoboForm a bit better.

1:33 PM  
Blogger Boris said...

Joe but he mentioned that LastPass data stored in the cloud is encrypted. How can it be decrypted?

5:43 AM  
Anonymous Batrscher said...

I can't remember where but lately I registered somewhere where you could chose your own security-question! Liked that, still it's no secure alternative for uncreative users.

9:30 AM  
Blogger Icarus said...

Verified by Visa asked me to create a new password after I fluffed my entry. The only security check was my date-of-birth.
Find or steal my wallet and you have my Visa card and drivers licence - which shows my DoB. Security? Pah!

4:34 PM  

Post a Comment

<< Home