Security Questions: Best practice

Please be advised that the information in this article is to provide the reader with a stronger understanding of security questions. SafeMoon does not take responsibility for forgotten security question answers. We would strongly advise, if following the method below, to make sure that all information is kept in a secure location.


Recently, we put out an article about Social Engineering. If you haven’t read this yet, you can check this out here.


Social engineering, in its basic form, is all about scammers/hackers devising methods to gain your personal information to eventually complete things such as password resets and gain access to systems to which you are assigned and use.


Today’s Tip is about password resets and how you may better protect yourself against social engineering attacks as it relates to security questions. Security questions are generally personal questions. They are for you to know and are often required for account changes and other things, such as safely resetting an account password. As long as you know your answer to the security question or set of security questions, does it really matter what the answer is?


Example: A typical security question may be “What is the name of your first Dog?” You might answer that question with your First Dog’s name, Dave, for example. This is information easily obtained. It could be as simple as being recovered from a cover photo title on a social platform or found somewhere else where an intruder may look. Now, let's ask the question again and this time, explore a unique measure for choosing security responses as best practice.


“What is the name of your first dog?” The answer to my security response may be “Cheese Toast.” By setting a unique security response that I am sure to remember, I can ensure that it is virtually impossible to social engineer, as Cheese Toast isn’t my first dog’s name.

Removing any connection to the question reduces the risk of someone being able to satisfy the security response. The information they would need to do so cannot be obtained publicly, by browsing or deceiving a person, co-worker, or friend in an effort to gain access.


There are multiple questions that are asked within security question systems. So, instead of answering them directly, you may reduce your risk by having 4 or 5 answers that you can remember and simply answer each question with the answers you've created. Remember, it doesn’t need to answer the question being asked. In fact, you're much safer when setting questions that have no connection to the subject, as long as you are following the rules defined by the security system such as uppercase ruling, character length, etc.


Next time you're asked your first pet's name as a security question, why not simply answer it with a set of 4/5 answers that you’ve created and reduce your risk of personally identifiable information falling into the wrong hands? Adopting this strategy as the best practice may effectively increase your account security and virtually remove the risk of your account being compromised as a result of social engineering attacks.

 

Examples of questions to answers

​What city were you born in?

Banana Loaf

What was the first concert you attended?

Yellow Grass

What was the make and model of your first car?

Yellow Grass

​In what city or town did your parents meet?

Banana Loaf

As seen above from the examples, you are able to continue to use the same answers over and over regardless of the actual question. As I know that it will only ever be one a few answers out of a set of say 4/5. Meaning no social engineering can take place because your answers don't actually answer the question they are looking for. But you still can answer them correctly when asked.

 

Credit:

CatsRus - SafeMoon Educator

292 views