The difference between secure computing and falling victim to online fraud or identity theft often comes down to a dozen or so keystrokes: your password and answers to those security questions that websites figure only a real user would know.
In the second of two parts , Scam Alert explores problems with commonly used security questions, and how to create answers to bolster online security. In part one, we looked at ways to create stronger log-in passwords.
To add an extra layer of online security and verify a legitimate user who has forgotten a password, many websites now require answers to “secret” questions.
Obviously, the classic “what’s your mother’s maiden name?” is a poor choice, since a skilled hacker can find the answer at government offices that post birth records and marriage licenses online.
But what about other common offerings: Your pet’s name? Your favorite color? The make or model of your first car? The city where you were born, street where you lived, or name of your high school?
Although you may feel secure with such security questions, a recent study by Microsoft Research indicates that answers to such questions are quickly and easily guessed 17 percent of the time.
Consider the math
• Most people use one of eight choices for their favorite color.
• The 15 most common street names are numbers between First and Eighth, or the names of trees (Oak, Pine, Maple, etc.)
• For hometowns, there are 20 extremely popular answers—the 10 largest cities or the 10 most common town names: Fairview, Midway, Oak Grove, Franklin, Riverside, Centerville, Mount Pleasant, Georgetown, Salem and Greenwood.
• Your high school’s name? A quick check of registrants on Classmates.com can reveal that.
• Lists of popular pet names, such as Max, Buddy and Molly, are widely publicized, and any pet name that is known in your neighborhood can be learned by a hacker.
So how can you really boost security when given a menu of weak secret questions?
Invent obscure answers
Websites have no way of really knowing where you were born or your childhood street. So if you choose a geographic question, choose a bogus or altered answer that’s easy to remember:
• Pick the hometown of a relative instead of your own.
• Use symbols and numbers, such as “At3lan&ta” as opposed to “Atlanta.”
• Make it up: Zebulon or Funkytown aren’t foolproof, but they are harder to guess than Cleveland or Seattle.
• Instead of using your childhood street name, use that of your grade-school best friend who lived on the next block.
• Instead of picking “orange” as your favorite color, use “cantaloupe,” “melon madness,” “autumn dusk” or other hacker-resistant hues. For inspiration (and an easy-to-file answer), get a free sheet of “color chip” samples in the paint department of your local home improvement center.
Try to pick your own question
Some, but not all, websites allow you to choose your own secret questions. Here are some good ones, according to Mark Burnett, an online security expert and author ofHacking the Code:
• What were the first and last names of your first boyfriend or girlfriend? (Avoid current spouses.)
• What was the phone number in your childhood home? (Unless it’s also your current number.)
• What was your favorite place to visit as a child? (A museum or zoo is stronger than a vacation spot.)