Hostwinds Blog

Search results for:


Our security blankets have a few holes in them

by: Gavin Bluthe  /  May 22, 2015


Take a moment and see if you can get a friend to tell you their mother's middle name. This might be done by asking them if the name was such and such and having them reply with what it is. Such a simple trick and you have one of the answers to what might be one of your friend's recovery questions. Suppose the scenarios were to work out in such a manner. In that case, you might even be able to pull that information off of said friend's Facebook account. Too often, we put the keys to our accounts in plain sight and expect nobody to test them on the doors of our accounts. One insecure question and an attacker might have access to your email, the central hub of access to everything you are connected to.

The issue here is that recovery questions are present for us to use if we have a problem and lose access to something. These questions are thus like leaving a key under the jar by the back door. For these questions to work effectively and fulfill their purpose, though, they have to be memorable. By being memorable, though, they fall into specific standards that make them dramatically easier for hackers to guess. Techspot talks about this dilemma in detail.

In some recent statistics taken by google. With ten guesses, a hacker had a 24% chance of guessing Arabic speakers answer to "What's your first teacher's name?", a 21% chance of thinking Spanish speakers respond to "What is your father's middle name?" and a whopping 39% chance of guessing a Korean speaker answer to "What is your city of birth?. A one-in-five chance of guessing an English speaker's favorite food begs the question, "Are security questions a thing of the past?"

The fact of the matter is that there will always be a need for secondary access to accounts because of information loss. A fifteen-character alphanumeric password provides an immense amount of security.

As Google also suggested, it is imperative to include things like a phone number to send security codes to them as an alternate form of identification. While accounts can be hacked into, phone numbers can't be rerouted for this exact reason. Thus, the security code serves as a heads-up and as a verification form for users.

One of the easiest ways to deal with these issues is to use ambiguous questions to anyone besides you. Asking the middle name of "Dustin" is a tricky question to guess because, unless there is only one Dustin that you know, there a few answers to this. Even a personal nickname you have for somebody could be a correct answer. The way to get around this problem is to make sure that whatever you chose is not something that another could guess from looking at your Facebook page. Just try to remember that if a friend knows your answers or a lot about you, they could probably get into your accounts without your consent or knowledge.

Written by Gavin Bluthe  /  May 22, 2015

Need help? Chat now!