Security question and answer tips

Introduction — getting to know you (for password purposes)

How many times have you forgotten your password and were asked to answer security questions? This is currently one of the most-used methods of password retrieval and reset. Authentication is done by using a number of questions (mostly personal) to which users are asked to provide answers. This technique is based on the assumption that the question can only be answered by the real user.

It is very important that both questions and answers are challenging enough to provide a real roadblock for malicious hackers. If your security questions to password recovery are breached, in fact, you might have something to do with it. These innocuous-seeming queries could be a weak link that could impair the usefulness of even the most secure passwords.

This article provides tips on creating questions and answers to help you keep your accounts secure. The objective is knowing how to create a security question that elicits not-so-obvious responses and answers that are not so easy to guess. An answer to a security prompt that can easily be found through a simple Web or social media search query does not provide any protection for users.

A typical question, for example, asks the user to give their mother’s maiden name. A hacker could easily retrieve that information from any Facebook account, especially those in which people have identified their family members in between friends and/or have an open profile.

Tips for effective security questions

A lot of attention is focused on choosing the right answers, but in reality, choosing the right security questions is the first step in creating a system that better secures passwords.

The first tip, then, is quite obvious. Choose security questions that do not make it too easy for a hacker to guess an (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Brecht. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/1wYe-U2TUmQ/