One of the most common ways to “hack” into somebody’s account actually doesn’t involve hacking at all. The easiest method is simply to learn some information about them and then use the “forgot username” and “forgot password” features that many sites now offer.

Implemented wrongly, these features can actually be a very big security liability. The right way to do it is to ask the question, then send an email with password reset instructions (but not the actual password). The wrong way is to validate the user and then simply tell them their password.

Why? Because most security questions are very common and easy to figure out - so if I know a little bit about you, I can easily answer them.

What makes a good security question? It’s not just about scarce information, it’s about non-public information.

Some of the most common questions are “What is your high school mascot?” “What city were you born in?” “What’s your favorite pet’s name?” “What was your first street name?” “What was your first phone number?” and “What is your company’s street name?”

The problem with these questions is that they’re all easily answered on my MySpace page. Birth information is public record - it can easily be looked up. So can my previous addresses, phone number, and where I work. It’s all out there somewhere on the internet.

Better questions are things like “What is your frequent flyer number?” or “what are the last 4 digits of your credit card number?” But even these fail. Many people other than me know my FF number, including my secretary, airline attendants, and TSA employees. The last 4 of your credit card won’t work either since many sites list it as a way to identify transactions.

So what do you do? Simple: Let the user choose their own question.

A good questions should be something that can’t be guessed or looked up, doesn’t change over time, and is easily memorable.

As a user, you should choose something that nobody can easily figure out. My favorite question is “What is your favorite Prime Number?” Another great one I use is something like “Last 3 words on page 15.” It’s useless to you unless you know what book I’m talking about. You could even use a bible here, since there are so many versions in print that it’s almost impossible somebody else will have the same one as you. Another one I once used was “What’s my cell phone serial number?” It’s clearly printed on the back of my phone, and always in my pocket if I should need it. (Just remember to update your question if you get a new cell phone!)

Whether you’re implementing this feature on a website, or simply choosing your own security question - don’t pick something that others can easily guess or look up about you.

This entry was posted on Monday, February 4th, 2008 at 12:02 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

What’s your password? Shh! Don’t tell me, just think about it for a second. Do you recognize it in this list:

• password
• 123456
• qwerty
• abc123
• letmein
• monkey
• myspace1
• password1
• blink182
• (your username)

If so, please stop reading and go change it (but don’t forget to come back here!)

The list above is the top 10 MySpace passwords according to PC magazine, but if we add in the “Hackers” popular passwords of god, sex, love, and money, there’s a good chance we’ve guessed one of yours.

So why am I talking about passwords? It’s because I just had one of my email accounts cracked. The cracker then used my email account to gain access to other accounts of mine on different websites. All in all, it took a long time to repair what little damage they did; and it would have been a lot harder if I hadn’t caught it before they locked me out of my email account.

Don’t let somebody steal your online accounts. Here’s some tips you can follow to make sure your accounts are secure:

• Don’t use the same login on multiple sites
• Don’t use the same email for all your accounts
• Use different passwords on every site
• Make your passwords secure. If you need help generating one, try this tool (you don’t have to use all 63 characters.) Another great technique is to think of a mnemonic like “four score and seven years ago” and turn in into a password like “4Sa7Ya” (just don’t use that one!)
• Change your passwords at least once a month.
• Don’t give out your passwords to anybody, or any untrusted websites.

I know that secure passwords can be hard to remember, but that’s where Demoxi can help. Passwords stored in Demoxi are stored on your own computer - so there’s less risk of somebody hacking in. They’re also encrypted, so nobody will be able to read them without logging in to your Demoxi account on your computer.

Good luck.

This entry was posted on Wednesday, January 30th, 2008 at 1:32 pm and is filed under Identity Theft, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.