Use a Password Manager to Answer Security Questions Too

It’s been a long time since I had to type in some stupid answer to a fictitious question when creating an account with a new service. You know what I’m talking about: forget your password and you can regain access to your account by entering the name of your first pet (Mr. Mrglglrm), your favorite sports team (Saskatoon Sirens) or the street you grew up on. on (Third Street).

If you haven’t heard, these questions and answers are terrible from a security point of view, because it is much easier for someone to figure out these answers than to guess a complex password or passphrase.

The obvious solution to this simple problem is to create bogus answers whenever you are forced to answer similar questions, but there is a catch-22: write an outright lie or some crazy combination of letters and numbers, and you can forget about your fake answer when it does. you need it the most. In the best case, you will have to contact the company and ask to restore access to your account; in the worst case, you won’t be able to verify that the account is yours, and you’re out of luck.

There are several ways to solve this problem, in order of their effectiveness:

Lies, but not much

When a service asks you to enter the name of your first musical as an account security question, you don’t have to tell the truth. If you first saw The Phantom of the Opera as a child, you could always tell it was Hamilton . Or heathers. Or don’t choose a musical at all. Go with The Nightmare Before Christmas (which really should be a musical, but I digress).

As long as you remember your harmless little lie, it will be more difficult for someone to hack into your account by finding something you’ve posted online that will give the actual answer to the question posed.

Treat your Q&A like a password hint

If you want to get a little crazy, you can always hide your answer in a more creative way. Take Katya Kochetkova’s approach from Kaspersky’s blog :

“If you want, you can change the answer to even the worst secret question, so that no one can guess it – what is your mother’s maiden name? XCU * (& S1042! – but of course you have to be careful not to confuse yourself.

Alternatively, you can take Woodhouse’s maiden name and split it to consonants: wdhs. Interlace the date of birth on 08/04/80 evenly to get 04wd08hs80. Not a brilliant gimmick, but much better than the original. “

Now you are safer than before, because instead of a name that can be guessed from a dictionary, you are using some incomprehensible combination of numbers and letters . It won’t prevent a strong brute force attack , but it will at least beat anyone just typing in random city permutations, favorite names, or whatever other answer might be.

Back side? Something like “J2uS * SD12 (# .. sfa!” It will be difficult to remember. And the last thing you should do is write it down somewhere – be it a sticker on your monitor or a text file on your desktop – if you haven’t put your list of answers to safety Skip to solution number three!

Use a password manager to store your questions and answers

Yes, your password manager isn’t just for passwords. Assuming that your LastPass or 1Password account is protected by a strong password, two-factor authentication and any other tricks, which offers LastPass or 1Password , you can also store there to answer account questions. (Yes, there are many other options besides LastPass and 1Password; these are just our favorites.)

If you are a LastPass user, you can leave your responses in the Secure Notes section of the service (and request a password to access it if you like) or directly in the notes of any saved site:

If you’re using 1Password , the process is simple too. Put your answers in a secure note, or simply create a custom field for any post on the site and post your questions and answers there to recover your account. It will look something like this:

The best thing about using password managers to store account security questions and answers is that you can even use these apps to create your answer. (After all, “answer” is just another password.) If you do, you may have to relax in a madness – no symbols, for example – if the site or service you use prevents you from saying your first car was “H0n $ @ @ $$ 0RD”.

More…

Leave a Reply