Survival of the fittest
Riverbank Ruminations: Observations from the banks of the technology river
Tom Evans; Ashton Engineer Emeritus
Two people have forgotten their passwords and they need to get them reset. Sometimes you can do this by answering some ‘security’ questions. (The reason for the quotes follows shortly). You go to the password reset page and the ‘keeper’ asks you:
Sir Lancelot attempts reset
KEEPER: Stop! Who approaches the Bridge of Death must answer me these questions three, ‘ere the other side he see.
LANCELOT: Ask me the questions, bridge-keeper. I’m not afraid.
KEEPER: What is your name?
LANCELOT: Sir Lancelot of Camelot.
KEEPER: What is your quest?
LANCELOT: To seek the Holy Grail.
KEEPER: What is your favorite color?
LANCELOT: Blue.
KEEPER: Right. Off you go. (Sir Lancelot can now choose a new password)
LANCELOT: Oh, thank you. Thank you very much.
Sir Robin attempts reset
KEEPER: Stop! Who approaches the Bridge of Death must answer me these questions three, ‘ere the other side he see.
ROBIN: Ask me the questions, bridge-keeper. I’m not afraid.
KEEPER: What is your name?
ROBIN: Sir Robin of Camelot.
KEEPER: What is your quest?
ROBIN: To seek the Holy Grail.
KEEPER: What is the capital of Assyria?
ROBIN: I don’t know that!
(Sir Robin is cast into the Gorge of Eternal Peril, and his password is NOT reset. You need to remember the answers to your security questions).
Unfortunately, there is a glaring weakness in the so-called ‘knowledge-based answer’ method of verifying who you are. If you are anything like most people when you were asked those questions you answered them accurately. Mother’s maiden name, high school, first car, first pet and so on. The idea being that this was information that only you knew and that would uniquely identify you. In this age of the data breach, those answers are now pretty much public knowledge. Anything that hasn’t been breached can probably be found on social media or in public records. Thus, these questions are among the weakest form of authentication for account protection.
There is a way to make this method work better and that is to make up answers to the questions. Favorite color – asparagus, high school – mustache, etc. When it comes time for the answers to be provided, they won’t be ones easily guessed or publicly available. If you use different answers for the same questions on different sites, you limit your exposure even more. This follows along with the mantra “NEVER reuse a password.”
It is a sad fact that the more secure we make systems the less user-friendly they become. The less user friendly security becomes, the less likely users are to act in a secure fashion. The article Google Wants Your Phone to Protect Against Account Takeover Attacks showed some interesting statistics.
The most successful methods of prevention were the on-device prompt (phone must be handy) and the security key (key must be purchased, configured and readily available). As the move is made for more sites linking to a single sign-on (Login with Google, Facebook, etc), compromising your account becomes more valuable. Just as in real life you wouldn’t spend $1000 to insure a $100 item but you would spend it to insure a $100,000 item, since your email account is getting more valuable each day you really should be willing to spend more time and effort to protect it.
Get a password manager to generate nice complex and long passwords; a different one for each account you have. Enable something other than ‘security’ questions for protecting your account. SMS at least but on-device or security key if you can stand it. If you must use ‘security’ questions, make up answers and use different ones on each site. Attacks on accounts with the intent to take them over are on the increase. Single sign-on accounts are on the increase. Weak security will not survive. You need to work hard to survive.
Contact Ashton Technology Solutions for help securing your accounts.
