A Better Approach to Password Reset Questions

Remember when Sarah Palin’s email account was hacked in late 2008? Here’s what Wired said about it:

…the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

It’s far too easy to lose control of your accounts due to weak answers to “security questions”. In a recent study, 17% of the participants were able to guess answers to the “secret questions” of people they knew nothing about.

HotmailPasswordResetQuestions

Here’s how I respond to these questions now. Password resets are typically handled automatically via email or by talking with a person over the phone. So set up a strong system that will work well in either case.

First, get 1Password (or a similar password manager) to securely store and retrieve the questions and your answers. This eliminates the need to use easily remembered (and easily guessed) answers about yourself. For each entry in your password database, just put the questions and answers the Notes field (or use custom fields):

NotesIn1Password

Next, create an email account just for supporting password resets. This will greatly reduce the risk of someone resetting your password and intercepting the temporary new one. Here are some tips:

  1. Make sure the user name is not obviously connected to you but is easy to say over the phone in case you ever have to do that. Example: xa939@yahoo.com
  2. Chose a free email provider different from whatever you use now. Wikipedia has a concise list of providers you can browse.
  3. Beware: Many email providers will disable and delete your account if there is no use after as little as 30 days. Set a reminder on your calendar to login 3 or 4 times per year.

Final tips:

  1. Make the answers easily pronounceable so you don’t confuse the poor customer service rep. Avoid using words that are difficult to spell.
  2. When choosing answers, try to be as random as practical. You can use a word generator to choose from several thousand words.
  3. For greatest efficiency, use words that are easy to say clearly over the phone. I like the Pretty Good Privacy (PGP) word list.

Don’t forget to change the questions at web sites where you’ve already answered!

Questions for you: Can you see yourself using stronger answers to password reset questions? Why not?