By trying to make things more secure, many companies succeed in doing the opposite or locking users out of their accounts, says Cyber Insider
Can’t remember the name of the street where your first pet’s favourite band lived? Perhaps an old-fashioned low-tech solution to those tricky security questions might be the answer
HOW MANY TIMES have you been in a situation where you’ve tried to log into a little-used online account – you know, where you finally figure out what your username is, struggle through and enter your password after a few failed attempts, and then hit the list of questions?
“Please enter the first name of your first pet’s best friend,” you’ll be asked, or, “What was the name of your home town in Roman times?” Or, the worst one I’ve encountered was simply, “Please enter your memorable information”. Of course, I had no idea what that was, which kind of defeats the point.
In all cases, the experience is one of frustration and annoyance. It’s easy to see why companies have added these extra questions: it’s an attempt to protect account access by requiring additional and supposedly unique information. Largely, this is because people tend to use the same passwords for all accounts. As soon as one account and password is compromised, all other accounts can fall one-by-one afterwards.
Ultimately, asking users to answer questions simply doesn’t work, for several reasons that we’ll look at here.
I’ve heard that a technician working for a well-known fruit-based manufacturer recommends just typing in part of the question as the answer when setting up an account. So, if you were asked, “What street did you grow up on?” you just write “street” as the answer and so on.
Certainly, that’s easy enough to remember and takes out the requirement to think about what answer you put down, how you spelt it (was it upper case or lower case, and did you use spaces?). But is it secure? Not really. Criminals are well versed in guessing simple passwords, and they’re well versed in guessing easy-to-remember answers to questions, too.
Yet that’s the situation we find ourselves in, and manufacturers are using obscure questions to push home (in)security. That can’t be good, but the answer is twofold: what the manufacturers can do and what you can do.
ASK A STUPID QUESTION
The first thing manufacturers need to do concerns passwords. Setting complicated rules for passwords, such as the number of symbols, length and uppercase
A long password of random words (CanChairJewelleryTissue) is harder to brute-force attack than a shorter collection of random letters and symbols (can0Fdr1nk!#), and it’s easier to remember
letters, seems like a good idea. Yet the problem is that each manufacturer only tells you what the password policy is at the point when you create your account.
When you log in, the same information should be presented if you enter your password incorrectly. That way, you may be prompted to remember the combination that you used.
Next, forcing complexity is actually rather pointless. As we’ve discussed in the pages of Computer Shopper before, a long password made up of random words (CanChairJewelleryTissue) is harder to brute-force attack than a shorter collection of random letters and symbols (can0Fdr1nk!#), and it’s easier to remember, too.
Asking for security questions is also rather pointless as a step to boost security. Either the information is relatively easy to find out by hackers, or it’s too complicated to remember easily. In other words, you’re being asked to enter a second password.
Instead, manufacturers should be using two-factor authentication, sending a one-time code via an app, SMS or telephone. That’s far more secure and means that you don’t have to remember any bits of information.
PLAY IT SMART
Unfortunately, things are unlikely to change overnight, but there are things that you can do to make life easier. The best advice is to take a notebook and write down the answers to any security questions. Store that notebook somewhere safe, such as in a locked drawer.
Ideally, don’t even answer the questions truthfully, just enter a random collection of words, as per your password. Next time you’re required to enter your security information, you can turn to your trusty book and look up the information.
Delve into the security settings of your accounts, too, and see if there’s an option to turn on two-factor authentication yourself. You’ll be surprised how many companies offer this as an option, although none makes you use the option by default.
Online security remains a hot topic and it’s easy to see why companies have taken the steps they have to protect your data. Yet the changes often lead to us being locked out, or weak information being entered that could actually reduce security.
Smarter thinking on the developers’ side could improve things, but until then it looks as though noting down answers on a bit of securely stored paper is the best way to boost security and reduce frustration.