What are you putting out there about you?
Recently I was asked to help figure out the answer to a security question for a penetration test. We had valid credentials (username/password), and knew the name of the user, but we were asked to verify we were the user by answering a security question. You know the types:
- What High School did you go to?
- Where did you get married?
- What is the make of your first car?
- What is your father's middle name?
- What is the name of your friend's uncle's second cousin's dog?
OK so that last one is probably not one you are likely to see, but the others are pretty common. There are many others as well, but what it comes down to is, are the answers to those questions easily obtainable? If so, then you truly are just relying on your password to protect you, and the whole "multi-factor authentication" is not adequate.
So what do you do? Well, here are a few tips.
- Make sure you have a secure password. - I'm not talking about password123. I'm talking about something that is easy for you to remember (DO NOT WRITE IT DOWN!), but hard for other people, or computers, to guess. The password should be at least 10 characters long and contain numbers, symbols, and upper and lower case letters. Better yet, stop using the password altogether! Instead, go with a passPHRASE. This is a phrase consisting of multiple words, and then inject characters or numbers throughout. Something like: This_is@secur3Password! This passphrase is long, incorporates all the requirements, and would be tough to guess. (Please don't use this one. It is now on the Internet for anyone to see.) Oh yeah, don't forget, you can often use spaces in your passphrases as well, so go for it!
- Realize your password will eventually be discovered - Sure, you have a super secure password, but there is more than one way to get on a system, and gathering passwords once on the system is very easy. Always keep in the back of your mind that the password will likely be discovered at some point, so it is a good idea to change the passwords regularly. Also, don't use the same password on all accounts. That's just a bad idea.
- Watch what information you are putting out there about yourself - Most of us are on some form, or multiple forms, of social media. As such, we seem to put a LOT of information about ourselves out there. Even when we don't realize it, the information seeps out. The answers to the security question are only a Google search or two away for most people.
- Lie when it comes to the answers to the security questions - I hear this a lot from people, to lie for the answers to the questions. My issue with that is that YOU forget what you answered. So you either have to have generic responses to the questions, or write it down, which is as good as telling the truth. I suggest using the correct answer, but using an extra word as well. So if the question is, "What was the make of your first car?" you can answer <Car make><website> (i.e., ChevyBlogger) <--No this is not one of mine...
What this all comes down to is, try to secure yourself. Enable multi-factor authentication where you can. Many sites support this in various forms, but check if the ones you use support it, and enable it. Limit what information is out there about you publicly. Don't post the answers to these types of questions where anyone can find them. Even enabling security settings on your social media accounts is not enough. You never know what your "friends" are looking up about you, or who has control of their account.
I know you all wanted to know, and the answer is yes. I found the answer to the security question, allowing for full access. You can try this as an exercise: Next time you have to answer a security question, go out and see if you can Google yourself to see what information you can find, specifically looking to see if the answer to that question is easily obtainable.