Online security: The password-recovery questions you should be answering

Online security: The password-recovery questions you should be answering

Q. What security questions should we ask of our employees to confirm the identity of those employees digitally changing their login passwords?

A. In 2008, a 20yearold college student hacked the Yahoo! email account for then vice presidential candidate Sarah Palin because he was able to figure out the answers to her password security questions by using Google searches to find her ZIP code, birthdate, and where she met her husband. Today, with so much of our personal information available on social media, many common security questions are not as secure as they once were. Some of the more common security questions with answers that might sometimes be found on one’s social media pages include the following:

I think we’ve reached a point in which organizations and individuals need their security questions to produce more formidable hurdles for wouldbe hackers. The challenge for organizations is to not make the security questions so difficult that users are unable to remember their answers later. To be useful, a better security question should:

Given the above suggested criteria, you might try to come up with more challenging security questions that have answers not typically revealed on social media, such as the following:

Still, the problem with all security questions, no matter how difficult they are, is they are intended to be simpler to use than passwords because the question itself is supposed to trigger your memory. To combat the more simplistic nature of security questions administrators often ask, end users might consider protecting themselves further by providing random answers that cannot be researched or guessed. In effect, I am suggesting that your answers be more random so they act more like a password. For example, instead of providing your mother’s ­actual maiden name, you might provide the madeup name Aphrodite1234!, which resembles a password more so than a name. While this approach may defeat the purpose of simpler security questions, it probably would result in greater security.

About the author

J. Carlton Collins (carlton@asaresearch.com) is a technology consultant, a conference presenter, and a JofA contributing editor.

Submit a question

Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to jofatech@aicpa.org. We regret being unable to individually answer all submitted questions.

Research & References of Online security: The password-recovery questions you should be answering|A&C Accounting And Tax Services

Leave a Reply