Become a Patron of Ask Leo! and go ad-free!
Transcript
Hi, everyone. Leo Notenboom here for askleo.com. I got a very interesting and actually fairly frustrated comment the other day on one of my articles having to do with how Microsoft accounts can get easily “locked out” if you will. The problem is this one if you haven’t heard of it before.
The issue is that if you’re traveling, and you’re using, you’re trying to access your Microsoft account, your Hotmail account, your Outlook.com account from some place other than you normally do, some other country or some other location on the planet, Microsoft will probably ask you for an additional verification step to prove that you are who you are.
That additional verification usually takes the form of a text message sent to the alternate phone number on file with that account or a message or an email message sent to one of the other email accounts, the alternate email address that you have associated with the account.
The frustration is that especially when traveling, many people don’t have access to the text message or the phone that would receive the text message, or they don’t have access to this other email account; they’re counting on being able to use their Microsoft account while they’re traveling and as a result, without access to these alternate verification mechanisms, they have no way to log in to their account.
The frustration was simply this: Why can’t they just ask me a couple of security questions and let me get on with my life? Well, the problem is security questions really aren’t that secure anymore. I mean, they were never really very good. I mean there’s a lot of us who have the common security questions have pretty easily understandable answers.
Now, you may not know my mother’s maiden name or the name of my first pet, but a lot of people have fairly common answers to those kinds of questions and a lot of the questions, to be honest weren’t even that sophisticated. A lot of online services are now moving away from using security questions as a secondary way to validate your identity.
In a lot of ways, we really have ourselves to blame because even for those relatively secure security questions, something interesting has been happening because a couple of days after I got that comment from the individual on that article, I happen to be on Facebook and sure enough, up through Facebook came another one of those quizzes.
“What kind of something are you” or “What’s your Hobbit name” or any of those kinds of things. I’m sure if you’re on Facebook at all you’ve seen these things. The problem is that most of these quizzes actually take your personal information in either of two ways. The most common is simply that they ask you a very seemingly innocuous question. For example, “What’s your Hobbit name?” Well, your Hobbit name might be based on the month of your birth. So as soon as you pick a Hobbit name and post it publicly on your Facebook timeline, well, anybody paying attention now knows what month you were born in.
That same technique can be used and in fact is used and in fact is being used for all sorts of different seemingly innocuous pieces of personal information except that when all that information is collected, in other words, over the course a couple of weeks you participate in a few of these quizzes and you answer some of these quizzes and you post publicly, your Hobbit or whatever it is that these things are asking about, somebody paying attention, who’s collecting this information can over time build a fairly complete picture of a lot of your personal information.
It starts to come close to a dossier, actually. It was a word I was toying around with. It seems a little bit strong but when you think about it, simply answering these quizzes with information about yourself, actually makes this kind of information public. And that’s actually without even the Facebook app needing any special access, just posting the answers to what kind of a “whatever you are”, actually makes this information public to any body paying attention.
Now, of course, on top of that, there are Facebook applications that themselves, before you even can participate in the quiz, they actually ask for permission to access your Facebook profile and of course they can slurp up all sorts of data based on whatever it is you contain or whatever it is you put in your profile but the issue is that these seemingly innocuous quizzes and games and whatnot on Facebook and probably other social media sites, they can cause you to inadvertently expose a tremendous amount of information about yourself.
It may be encoded; you may not know that Frodo means January but there it is. They do. So, that’s kind of put another nail in the coffin of security questions and answers because a lot of online service providers know that security answers and security questions, they were never that great to begin with and with what’s happening in social media today, the security is being eroded at a fairly rapid rate.
They have to go to alternate means to confirm your identity. So, what does that really mean for you? What should you be doing because of this erosion of the security question as a viable means of secondary identification? Well, for one thing, security questions are still in use. They’re going away; they’re slowly going away. I’m actually surprised at the number of accounts that no longer use them but there definitely are accounts that continue to use them.
Don’t answer those quizzes. Don’t play those games on Facebook that cause you to explicitly or inadvertently reveal personal information about yourself. That’s kind of a no-brainer. The other issue though is that because accounts are using other mechanisms to confirm your identity when they feel they need to, make sure that those mechanisms are in place, that they are up to date and that they will work when you need them. In fact, my recommendation is that for your most important accounts, your email accounts when you are traveling, your banking accounts, whatever it is, whatever accounts would concern you, use all of the available secondary mechanisms that they provide.
If they provide security questions, great! Give them answers. A best practice for security questions and answers, by the way, is to have answers that have no relationship to the question. Your mother’s first name may be “Orange” and that is completely nonsensical but they don’t care as long as you can provide the right answer to that question if it gets asked to you in the future.
Also, make sure that you’ve got an alternate phone number on there if they have that as an option. Make sure that there’s an alternate email address and most of important of all, make sure that those phone numbers and email addresses are up to date and things that you actually still have.
One of the very common ways that people are losing their accounts is they will actually take the time to set up that information when they set up the account. Life goes on. They lose that particular mobile number; they lose that particular email address and all of a sudden they’re left with no working alternate forms of identification for their primary email account.
So make sure you’ve got them all set. Make sure that they are up to date. In addition, get recovery codes. Many services now give you the option of creating a recovery code that you can keep with you in a safe place. Microsoft is one of them. If you actually create a recovery code before you need it that is another way that Microsoft can confirm that you are who you say you are when you need to confirm that; when you need to access your account and what they might consider to be a questionable situation.
But the most important thing of all is just be aware that security questions may not be enough. Recovery information, however much there is of it on your account needs to be there. It needs to be up to date and it needs to be something you can access when you’re in a situation that might cause your primary account to actually want to confirm that you are who you say you are.
So, as always, I’m really interested in what you have to say about this issue. Here’s a link to this article on Ask Leo! If you are viewing this video anywhere but on askleo.com, come join us there. That’s where the discussion. That’s where the moderated comments are. Until next week, I’m Leo Notenboom for askleo.com. Stay safe, have fun and don’t forget to back up.
Ever since I read an article on LastPass in 2013, I answer security questions with LastPass Generated passwords. I store them in the comment section of the LastPass entry for that site, unless it is on a separate screen that can save it like a password. I answer these security questions differently for each sites. so that the same question doesn’t lead to the same answer. The exception is if my wife and I have separate accounts at the same place (e..g bank). I’ll use the same answers for the security question, which I consider secure since our user names and actual passwords are different. I also feel comfortable answering all the security questions with the same LastPass generated password if they will allow it, knowing that no one will guess it, and my main password is a different LastPass password. While it means I do have look up the security question answer in the LastPass comment, rarely do these precautions slow me down (unlike 2nd factor authentication which does slow me down). Since LastPass allows local login, I can retrieve my security question answers anywhere in the world off of my phone. I don’t have texting on my phone, so my alternate E-mail is always another E-mail account that I can usually get to. Here’s the LastPass article: https://blog.lastpass.com/2013/06/your-answers-to-security-questions-should-be-random-too.html/ on answering security questions using LastPass.
So just checked my Outlook account and it does go to my gmail account for security codes; not texting.
I did this once in frustration for a site that just wouldn’t let me create a user name and password without finding something wrong with it. I would think this would be as secure as anything. It would be a real problem if you are ever separated from your password manager.
Actually as long as you know your LastPass credentials, you are never away from you password manager. I can log on to LastPass on any computer in the world and use their web interface to access my passwords.
Make sure you allow LastPass access in the countries you are visiting.
Good point. I’ve accessed it in several countries, so I must have authorized it one time. I travel a lot.
And if you plan on traveling out of the country, make sure you use a few email addresses and that at least one of those recovery addresses doesn’t require a recovery email to access it internationally.
A few years ago Sarah Palin’s email account was hacked, because she used recovery questions whose answers eventually became public information.
I remember reading about a hacking/social engineering challenge in which a guy – an IT security guy, actually – was told that, at some point during the next 3 months, somebody would attempt to obtain the information necessary to steal his identity. And, yes, even though he knew it was coming, he was still caught out.
The hacker/social engineer turned out to be a pretty young lady who sat next to him in a coffee shop. The first thing she did was ask him to watch her laptop and backpack while she went to the bathroom. A while later, he then did the same thing and asked her to watch his laptop and backpack while he went to the bathroom. As soon as he’d left the table, she pulled his wallet from his backpack and used her phone to snap photos of his bank cards, drivers license, etc., etc. Then, after he’d returned, a friendly 10-minute chat was sufficient for her to be able to elicit the names and ages of his kids, the name of their pets, etc., etc. – pretty much everything she needed to be able to answer likely security questions.
She ended up with enough information to be able to access his online accounts – including his bank accounts – calculate his social security number and, basically, take over his identity.
Interestingly, when asked why he’d left his laptop and backpack with her, he said it wasn’t because he trusted her; rather, it was because he felt too embarrassed to pack it up after she’d trusted him.
I only have to ask *one* question: Why was he so stupid as to leave his *wallet* in a backpack??
If I offend, oh, well, but this habit is not a habit, it’s idiocy and being completely stupid, as well!
Just my $0.02.
I think the takeaways are that anybody can make a dumb mistake and the fact that we behave predictably – or unpredictably when faced with an unusual situation – can be used against us. If somebody seems to trust us, we don’t want to be appear rude by not trusting them – and that’s maybe especially true if you bring in other factors (such as attraction). It’s a predictable behaviour. Similarly, pickpockets supposedly often work in the vicinity of BEWARE OF PICKPOCKETS! signs. People see the sign and check that their wallet is still in their pocket – which, of course, shows the pickpocket which pocket it’s in. Again, it’s a matter of our predictable behaviour being used against us.
Howdy Ray!
Sorry, but I think that you might have misunderstood me. I was not talking about a predictable or unpredictable situation. Nor was it about “trust.” (Though I do agree with your explanations.) My question/comment was about how stupid it is to have a *wallet* in any place other than a pocket/purse. It’s like someone decided to write down all their passwords on paper, then leave it sitting open on their desk instead of a pocket/locked cabinet/other very secure place, then whine about how it was stolen/copied while they went to the restroom – stupid, in my opinion. “Why be so stupid with their wallet?” is the question.
Again, just my $0.02 worth.
“My question/comment was about how stupid it is to have a *wallet* in any place other than a pocket/purse.” – Actually, I usually keep mine in a backpack (which is never left unattended, of course!). Unless I decide to start wearing roomier pants or invest in a man-bag/purse, it’s the only comfortable option!
“It’s like someone decided to write down all their passwords on paper, then leave it sitting open on their desk.” – People do that all the time. I once visited an office that enforced password complexity, age and history rules. Basically, the staff had to come up with a new and complex password once every month that was dissimilar to previously used passwords, a minimum of 16 characters in length and which didn’t contain any part of their account or display name. Pretty much every desk had a post-it note stuck somewhere.
Although I have a gmail account, I don’t use it as my main email. I use one that while I do have to pay for it, the fee is quite nominal, about $8.00 a year. I never have any problems with getting onto my account, other than having to log into it if I’m on a different computer, and then I always open a private window so that my information is deleted once I’m done. My answers to any security questions have always been similar to what Leo said about my mother’s maiden name. The key to those questions is that it always has to be something that you will remember.
Do you have any articles aimed squarely at the dangers of those “which hobbit are you” type posts? I have several friends who could use a smack upside the head on this one. I’m not sure they’d “get it” based on this article alone.
Thanks.
This article hits the subject pretty squarely. It covers much more, of course, but everything you need to know about the subject of Facebook quizzes is included here.
“Do you have any articles aimed squarely at the dangers of those “which hobbit are you” type posts?” – I think “dangers” is probably too strong a word. While FB quizzes/games may be inane and irritating, they’re not really dangerous – and they’re certainly not being used as a mechanism to mine the answers to security questions. Look at it this way: if the developer of “Which Game of Thrones Character are You?” happens to discover your mother’s maiden name…so what? Knowing that her maiden name was Wigglesthorpe or Shufflebottom or whatever does them no good whatsoever unless they also know the name of your bank, what your card number is *and* have access to your email account.
The majority of these quizzes/games are completely harmless and simply enable the developers to make money via embedded ads – really no different to the ads you see on AskLeo! or on any other website. Some of the games/quizzes do, however, collect personal information and use it in way that some people may not be comfortable with, for example:
http://www.nytimes.com/2009/03/26/technology/internet/26privacy.html?_r=2&em
The danger lies in the permissions those games require. Playing the game my be harmless (although some might not be), but when you complete the quiz, they offer you the opportunity to post the results on Facebook. Often they ask for more permissions than are needed to simply post the results, and they get access to your entire friends list and other things they can data mine.
“I think the people who originate these quizzes do it for the express purpose of gathering security answer questions.” – I don’t mean to sound disrespectful, but that’s really quite an absurd claim to make. Do you have a single shred of evidence to support that it’s actually happening?
Why on earth would the developers of “Which Muppet are You” want to know the maiden name of Henry Hoosierdaddy’s mother? What good would it do them? There is absolutely nothing that can be done with the information unless they also 1) know which bank Henry uses; *and* 2) know his bank card number; *and* 3) have access to the account/device to which a password reset link would be sent. Plus, of course, even if each of those boxes were to checked, it still relies on Henry having answered the quiz questions accurately.
As I said, these quizzes are very often designed to make money for the developers – but that money is made from ads and/or (possibly) selling the statistical/demographic information that’s collected. It’s *not* made by harvesting the answers to security questions and then tracking down and hacking peoples’ bank accounts.
As Leo noted, security questions simply want a character string match; orange for your mother’s maiden name works just fine. These are another opportunity to use strong password guidelines regardless of the question. When challenged, most folks can remember their answers – assumed true and accurate – to questions like “mother’s maiden name” or “favorite book.” But when ‘BlueQuarkWaterQixxlyDogma’ matches the character string for the name of your first pet, you’re good to go. Granted, you must have a method to remember all your various answers, but until some hack-proof system is in place I don’t mind the added complication.
You may not mind the extra hassle a nonsensical security question answer entails, but this second factor is being imposed for exceptional logins or exceptional actions in response to people having their accounts hacked. Articles are still coming out about people using 12345678 as their password. You may not feel people should be protected against themselves, but a large number of hacked accounts could severely hurt a website’s reputation. These websites are caught between a rock and a hard place.
Back when FB first came out, I started the process of setting up an account and I stopped when it asked me, “OK, tell us about yourself, what’s your favorite movie?” and I gasped! I thought, “I just answered that question as a security measure on another website! I actually thought this new Facebook thingy was a scam and they were trying to trick me! :P
What’s strange is that many, many users still have those things posted on their FB pages, like favorite movies, books, music, etc. My real friends already know this about me. I’ve chosen not to list those facts for public consumption.
“A best practice for security questions and answers, by the way, is to have answers that have no relationship to the question.” – Interestingly, research by Google found that this approach may not enhance security at all: “A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.”
http://research.google.com/pubs/pub43783.html
when i answer those questions i treat it like a password. “what was your mother`s maiden name?”
answer…. G567h3c. if you use an actual word, like Leo has pointed out before, there are programs that can figure out the word.
of course it has to be written down to remember it. but i don`t check my emails anywhere but home anyway.
Gmail stopped alowing windows live mail on windows 10 to pick up my Gmail. I eventually change my setting on Google to allow insecure apps Now windows live mail picks up my gmail account.
How great a risk is this to my security?
I hope this is not too far off topic. I do appreciate what I am seeing on Ask Leo
“How great a risk is this to my security?” – Yes, but, not a particularly significant risk, IMO. You can read about it here:
https://support.google.com/accounts/answer/6010255?hl=en
Hi Leo. Regarding passwords, the advice is “never write your password down and leave it next to your PC”. I think a better solution is “never write your actual password down and ….” I suggest people write down some word or sequence of characters that helps them remember their actual password; what they write only has meaning to them. If I wrote “my password is IOWA” or “my password is 17 v’s”, that would have some meaning to me and I bet you would not be able to guess my password based on what I wrote down. Every time I change my actual password I write down a different phase so I actually do not follow the same scheme. Any thought on this approach?
So long as it enables you to remember complex passwords/phrases, it’s a great strategy.
I actually use a single strong password/phrase for all logins – $tupidOldRay99, say – but then modify it slightly by prefixing with the first two letters of the name on the site on which it’s to be used. So, for example, my password for Amazon would be AM$tupidOldRay73 and for Gmail it’d be GM$tupidOldRay99.
In theory, somebody with access to a number of my passwords could probably work out the pattern, but, realistically, it’s probably as secure as any other methodology.
The fact that you posted the pattern here probably makes you more vulnerable. The less you share about your password, the better.
That’s neither the actual password nor the actual pattern :P
Leo, your answers are good…..from an individual that’s been in IT for 31 years. In fact as an example of this, when asked “What is your Mother’s maiden name?” I answer something no one could possibly guess. And you suggest the same thing. Thank you for your great advice to everyone!
I don’t understand why people list security questions honestly. It’s not a test! I use replies like “Lady Gaga” or “Sam Spade.” They don’t have to be real
Just today I was helping a guy at work. Our IT department has launched a self-managing password system to reset your mainframe account if you lock yourself out, and yes, they use security questions. I showing him how to set up his security questions. The questions are predefined. You pick X number of questions from a list of Y possible questions. This guy was having hard time picking questions because his father didn’t have a middle name, his first phone number including area code was before we used area codes, and the questions that required city name answers all had the same answer, and the system didn’t like him using the same answer on multiple questions. I suggested he just make up answers, but he was afraid he wouldn’t be able to remember the fake answer when the time came to answer the question.
While security questions do represent a weakness, it’s a relatively minor weakness, IMO. Security questions nowadays are used only really used to authenticate password reset requests, with the reset links being then sent via email or text. Consequently, so long as the accounts/devices to which the reset links are properly secured – in other words, protected by a strong password – it doesn’t matter too much whether or not somebody knows or can guess the answer to a security question.
That’s kind of my point – systems are moving away from security questions. They’re rarely used – as you say only in account recovery. Even then many systems no longer use them at all. I believe that’s because they were not secure enough in practice.
I’m sure you’re right. In fact, all current mainstream forms of authentication are very problematic. I suspect that biometric authentication will be the eventual solution.
When I go abroad, I always keep my mobile phone numbers active. Anyone can still reach me by sms including my bank and email service providers.
Leo:
You started out well when you described how the only reason you are using Hotmail in a far away place is because you do not have access to your mobile, your computer with POP/IMAC mail etc. Then you miss the point entirely by praising Microsoft for putting these convoluted procedures in place that defeat the whole aim of an internet based email account; that is, for basic communication when you cannot use your normal accounts. Hotmail is essentially useless now so I do not bother with it anymore, but thankfully Yahoo and GMail are for the time being still usable in that role.
Hotmail was actually useless *before* because it was so often hacked. Ask Leo! used to be swarmed, daily, by questions (an mean comments) from people whose accounts were hacked. Not only did they lose everything, but their reputations were often harmed by the activities of the hackers, and everyone in their contact list was mercilessly spammed. Those complaints are pretty much gone now. So you choose: previously if a person did not set up their security and recovery options correctly they were hacked. Today if a person does not set up their security and recovery options correctly they are inconvenienced while traveling. Either way, the responsibility is on each account user to set up their account properly.
I did not praise them for their solution. I pointed out that their (bad) solution is attempting to solve a real and serious problem.
“A best practice for security questions and answers, by the way, is to have answers that have no relationship to the question. Your mother’s first name may be “Orange” and that is completely nonsensical but they don’t care as long as you can provide the right answer to that question if it gets asked to you in the future.”
I don’t like this suggestion because it is easier to remember the truth rather than a “creative” answer. My memory certainly isn’t getting any better with age.
“I don’t like this suggestion” – Nor do I, for a number of reasons: 1) It isn’t necessarily more secure (see the link I posted previously); 2) security questions are simply used to send password reset emails so, unless somebody also has access to your device/email account, it really doesn’t matter whether or not they know the answers to the questions; and 3) perhaps most importantly, you could find yourself unable to regain access to an account if you forget both the password and the fake answer to the security question.
I don’t have to remember my fake answers – I store them in my password manager.
Ray Smith: Security questions aren’t always just for sending password reset emails – and I am much less bothered by the ones that do use them this way. I always use a random password as my answer, because some web sites still use these answers to allow direct access to your accounts, which I consider to be an inexcusable security risk.
“I don’t have to remember my fake answers – I store them in my password manager.” – Which, of course, isn’t without risk either:
http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
I use LastPass
LastPass has had problems too:
http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/
To be clear, I’m not suggesting that people don’t use a password manager; I’m simply making the point that every system is potentially vulnerable and there’s no such thing as perfect security. It’s all about balancing risks….
That problem for LastPass wasn’t really problem if one had a very secure master password, which I have. I did not change any passwords after that hack.
Like the other poster said, I’m not trying to eliminate risk. I’m just trying to reduce it while being convenient for me to be productive. And I do think that putting security questions in LastPass is much less risky than making up things that I may not remember.
@Samir To be clear, I’m not knocking LastPass. It’s a solid product that works well and the company’s response to that security incident was excellent. I’m simply make the point that no software is 100% safe and secure.
The question here, however, is not whether you should store fake answers to security questions in a password manager; it’s whether using fake answers instead of real answers makes you more secure. And I don’t think it does. Let’s pretend you’re a bad guy and learn that my mother’s name was Cholmondeley-Bennett and that my first pet was called Genghis. In fact, let’s pretend that you also learn my home address and that I bank with Credit Suisse. Where does that information get you? The answer is nowhere. There’s absolutely nothing you can do with it.
Using fake answers doesn’t make you more secure; it simply makes it more likely that you’ll encounter account-access problems.
Of course – but that is a different topic altogether. I do believe that the risk of using a password manager is less – and more manageable – than the risk of not using one. Nothing is 100%, you just try to stay informed and do the best you can. Thank you for the link.
“I do believe that the risk of using a password manager is less – and more manageable – than the risk of not using one.” – Maybe, maybe not. I’m presently able to remember complex passwords quite easily and, obviously, and this is the most secure option. However, should my aging brain shrink to the point that I’m no longer able to remember complex passwords, then I’ll either have to stop using complex passwords or start using a password manager – and the password manager would obviously be the more secure option.
Security is all about establishing which mechanisms enable you to best manage risk. And that’s not going to be the same for everybody.