Cy­ber In­sider

By try­ing to make things more se­cure, many com­pa­nies suc­ceed in do­ing the op­po­site or lock­ing users out of their ac­counts, says Cy­ber In­sider

Computer Shopper - - CONTENTS -

Can’t remember the name of the street where your first pet’s favourite band lived? Per­haps an old-fash­ioned low-tech so­lu­tion to those tricky se­cu­rity ques­tions might be the an­swer

HOW MANY TIMES have you been in a sit­u­a­tion where you’ve tried to log into a lit­tle-used online ac­count – you know, where you fi­nally fig­ure out what your user­name is, strug­gle through and en­ter your pass­word af­ter a few failed at­tempts, and then hit the list of ques­tions?

“Please en­ter the first name of your first pet’s best friend,” you’ll be asked, or, “What was the name of your home town in Ro­man times?” Or, the worst one I’ve en­coun­tered was sim­ply, “Please en­ter your mem­o­rable in­for­ma­tion”. Of course, I had no idea what that was, which kind of de­feats the point.

In all cases, the ex­pe­ri­ence is one of frus­tra­tion and an­noy­ance. It’s easy to see why com­pa­nies have added these ex­tra ques­tions: it’s an at­tempt to pro­tect ac­count ac­cess by re­quir­ing ad­di­tional and sup­pos­edly unique in­for­ma­tion. Largely, this is be­cause peo­ple tend to use the same pass­words for all ac­counts. As soon as one ac­count and pass­word is com­pro­mised, all other ac­counts can fall one-by-one after­wards.

Ul­ti­mately, ask­ing users to an­swer ques­tions sim­ply doesn’t work, for sev­eral rea­sons that we’ll look at here.


I’ve heard that a tech­ni­cian work­ing for a well-known fruit-based man­u­fac­turer rec­om­mends just typ­ing in part of the ques­tion as the an­swer when set­ting up an ac­count. So, if you were asked, “What street did you grow up on?” you just write “street” as the an­swer and so on.

Cer­tainly, that’s easy enough to remember and takes out the re­quire­ment to think about what an­swer you put down, how you spelt it (was it up­per case or lower case, and did you use spa­ces?). But is it se­cure? Not re­ally. Crim­i­nals are well versed in guess­ing sim­ple pass­words, and they’re well versed in guess­ing easy-to-remember an­swers to ques­tions, too.

Yet that’s the sit­u­a­tion we find our­selves in, and man­u­fac­tur­ers are us­ing ob­scure ques­tions to push home (in)se­cu­rity. That can’t be good, but the an­swer is twofold: what the man­u­fac­tur­ers can do and what you can do.


The first thing man­u­fac­tur­ers need to do con­cerns pass­words. Set­ting com­pli­cated rules for pass­words, such as the num­ber of sym­bols, length and up­per­case

A long pass­word of ran­dom words (CanChairJewelleryTis­sue) is harder to brute-force at­tack than a shorter col­lec­tion of ran­dom let­ters and sym­bols (can0F­dr1nk!#), and it’s eas­ier to remember

let­ters, seems like a good idea. Yet the problem is that each man­u­fac­turer only tells you what the pass­word pol­icy is at the point when you cre­ate your ac­count.

When you log in, the same in­for­ma­tion should be pre­sented if you en­ter your pass­word in­cor­rectly. That way, you may be prompted to remember the com­bi­na­tion that you used.

Next, forc­ing com­plex­ity is ac­tu­ally rather point­less. As we’ve dis­cussed in the pages of Com­puter Shop­per be­fore, a long pass­word made up of ran­dom words (CanChairJewelleryTis­sue) is harder to brute-force at­tack than a shorter col­lec­tion of ran­dom let­ters and sym­bols (can0F­dr1nk!#), and it’s eas­ier to remember, too.

Ask­ing for se­cu­rity ques­tions is also rather point­less as a step to boost se­cu­rity. Ei­ther the in­for­ma­tion is rel­a­tively easy to find out by hack­ers, or it’s too com­pli­cated to remember eas­ily. In other words, you’re be­ing asked to en­ter a sec­ond pass­word.

In­stead, man­u­fac­tur­ers should be us­ing two-fac­tor au­then­ti­ca­tion, send­ing a one-time code via an app, SMS or tele­phone. That’s far more se­cure and means that you don’t have to remember any bits of in­for­ma­tion.


Un­for­tu­nately, things are un­likely to change overnight, but there are things that you can do to make life eas­ier. The best ad­vice is to take a note­book and write down the an­swers to any se­cu­rity ques­tions. Store that note­book some­where safe, such as in a locked drawer.

Ide­ally, don’t even an­swer the ques­tions truth­fully, just en­ter a ran­dom col­lec­tion of words, as per your pass­word. Next time you’re re­quired to en­ter your se­cu­rity in­for­ma­tion, you can turn to your trusty book and look up the in­for­ma­tion.

Delve into the se­cu­rity set­tings of your ac­counts, too, and see if there’s an op­tion to turn on two-fac­tor au­then­ti­ca­tion your­self. You’ll be sur­prised how many com­pa­nies of­fer this as an op­tion, al­though none makes you use the op­tion by de­fault.

Online se­cu­rity re­mains a hot topic and it’s easy to see why com­pa­nies have taken the steps they have to pro­tect your data. Yet the changes of­ten lead to us be­ing locked out, or weak in­for­ma­tion be­ing en­tered that could ac­tu­ally re­duce se­cu­rity.

Smarter think­ing on the de­vel­op­ers’ side could im­prove things, but un­til then it looks as though not­ing down an­swers on a bit of se­curely stored pa­per is the best way to boost se­cu­rity and re­duce frus­tra­tion.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.