Why You Need to Lie to be Secure

Twitter IconWhen you sign up for a new site that requires a logon with a password, it generally asks you to answer one or more security questions just in case you forget your password. These questions are simple ones like “What was the name of your first pet?”, “What street did you live on when you were growing up?”, “What city were you born in?”, “What month were you born?”.  The idea is if you forget your password, you just answer the security question and it will reset your password and allow you access.

This is how Twitter was hacked last month and how someone gained access to Sarah Palin’s yahoo email account last year. More and more people are joining social sites like Facebook and Twitter and posting personal information. Because the Internet doesn’t forget, this information is pretty easy to find by anyone willing to take the time to look.

This is why you should lie when you answer these simple “security questions.” Having a strong password is not enough if you answer a weak security question. Some sites allow you to pick your security question or even make up your own. What I find disturbing is a number of sites asking the same security questions (i.e. What city were you born in?). You can lie and give them the wrong answer, but than you have to remember the answer if you ever need to reset your password. If you use multiple sites and they all ask the same question, you should answer each one differently, just in case one of the sites is hacked and they steal the security question answers. Now the problem is worst because you need to remember two lies.

I use both a Mac and a PC and have password programs for both machines. I make sure that I use a unique and strong password for every site that requires a logon so I really have no need for the security questions that some sites require. In fact, I wish I could disable the ability to have the correct answer to a security question reset my account. My password programs can generate and store away my logon information so I never run into the case of not having that information available (unless I forget my password logon information).

I can understand why you would need a way to reset your password if you are trying to logon to a email account but don’t understand why other secure sites do it that way. A number of sites have a “Forget your password” feature that sends your password to the email account that you used when you first created the account. As long as you keep your email account safe (strong, unique password and a non-searchable answer to a security question), not giving out your password information, or clicking on unknown links in emails, you should be fine.

More and more of our lives are spent online which means the more we depend on it for passing around sensitive information. Leaving a backdoor access at one site can mean a breach in the entire chain. In the case of Twitter, a hacker was able to guess the security question in an employee’s Gmail account, which opened the door to gaining access to Twitter. This should be a wake-up call for everyone to think about their own on-line security.

73’s, Tom