The Security of our Security Questions and Passwords

The trend of using Security Questions began in the early 20th century when banks started using them as a supplement to customer signature records. Spaces were provided in the account opening forms to give details like ‘mother’s maiden name’, ‘residence’ etc. They were intended to make sure that people who are not really close to the customer won’t know the answer to the question. Hence, a moderate level of security could be guaranteed in the process. Later, the use of security questions has become widespread on the internet, especially in email accounts and other social media. They are given at the time of registration of examinations and job applications too. Where ever there is a need for password, there is a provision for security question too.

Today, however security questions have become a tool for hacking. This is mainly on account of the low levels of awareness on what makes a good security question. For security questions to protect our account there is a need to protect the security answers as well. While the western world is much more aware about cyber security, India has a lot more ground to cover, especially because of the skyrocketing number of internet users. This will be one major area of concern and there is an urgent need for strong measures in this regard to protect internet users against spam, cheating and fraud.

Now, to know cyber security in detail, you need to know how to hack an account (ethically). If you have tried to hack an account, you will know what all steps need to be employed to protect one. The best hackers are the best in cyber security because they know what it takes to crack one. They know the kind of passwords and security questions that makes the job difficult for a hacker. They are also aware of the pros and cons of the different accounts and the ease of cracking them. For example, many say that hacking a Gmail account is easier than hacking a Yahoo account.

I stumbled upon this field by accident a few years ago. It was a time when almost everything I read dealt with hacking in one way or the other. I also had a relative working in the field of cyber forensics. He would tell me how easy it is to hack an account unless one is very careful. I found it to be fascinating. I started thinking how difficult it would be for someone to hack my account if he tries to do so. Obviously, I knew and still know nothing about professional hacking. But, I wanted to know how an amateur who knows nothing about the technical side hacks an account.

Security Questions

That was when I started my experiments. I had a Google account and I hit the ‘forgot your password’ button. It led me to a new screen where I was asked to enter my security question. To access the security questions, the user should not have used his email account for a minimum number of days, usually a week. At that time, I didn’t have my account connected to my mobile number. So, the only way to reset password was through my security question. It was a simple one at that time. Even someone who didn’t know me could answer it without much of an effort. The moment you answer the security question, the ‘reset password’ option will appear. Thus, it is a really important aspect of cyber security.

I was curious as to what kinds of security questions my friends had. I found it amusing and learnt quite a lot regarding the security of security questions. Some of the security questions where very silly, some easy to answer and only very few where smart. 

Here are a few security questions I encountered:

·         ‘Birth place’, ‘Hometown’ and the like

·         ‘Phone number’

·         ‘Favourite teacher at school’, ‘Best Friend at school’ etc

·         ‘Favourite book’, ‘Favourite cartoon’, ‘Favourite movie’ etc.

·         ‘Mother’s maiden name’, ‘Father’s name’ etc

·         ‘Favourite character in the Harry Potter Series’ etc.

The answers to these questions are not that difficult to find out in this digital age even if the user is a complete stranger, because almost all information is available in social media platforms. It is just a matter of trial and error.

Like all things done with good intention, security questions too can backfire. One can have 5 attempts or so at a single go. This would have been useful for someone who forgot the answer to his security question. But, for someone who is trying to hack into an account this comes as a blessing. For Yahoo, there is a two level security question check. So, it is a bit more difficult one to hack in that respect. Since passwords need careful protection, I do feel that Gmail too should have had multiple level security question verification. Single security question check would ensure that the user does not find it too cumbersome. But, for a person attempting to hack into an account, this makes his job easy.

Tricking a person into revealing security questions

The lessons I learnt during these experiments had a significant impact on the way I set my security questions after that. Since then, I would give different security questions but provide the same answer to all of them. For example, my security question may be as simple as, ‘What is your name’, but the answer would be in no way related to the question. I have a standard answer for all security questions. My relative says that it is the better way of handling security questions because it puts the amateur hackers off. It also eliminates the need of noting down the answer of the security question somewhere.

Having a standard answer for all security questions is one way of doing things. Having strictly personal security questions is the best method as long as no one else (except perhaps, a trusted few) have access to it. Security questions must be easy to remember, especially if you provide different answers for different accounts.

Having a strong password is even more important. We are often asked to enter passwords with minimum one uppercase letter (eg: A, B, C, D etc), one lowercase letter (eg: a, b, c, d etc), one numerical (eg: 1, 2, 3, 4 etc) and one special character (eg: #$, @, % etc). Also, the password should not be similar to the username because that is one area where the automated programs focus on. It is ideal to have long passwords, different for each account and website, as far as possible.

This is because there are programs developed to crack passwords through automated attempts. That is why we are asked to prove that we are not a robot by typing the encrypted code at times when we fail to give the correct password even after many attempts. These programs try all the permutations and combinations of lowercase letters, then the uppercase letters etc. So, when we use passwords with lowercase letters, uppercase letters, numbers and special characters present in it, the number of combinations that the program has to try out makes it an almost impossible task.

RockYou password creation

This is not all. There are a million other occasions when things have gone wrong in the cyber world. A few years ago, a social application website named 'RockYou' suffered a security breach that exposed over 32 million user accounts. They were pretty relaxed with security. Users had to enter only 5 letters for their passwords and didn't have to mix any uppercase/lowercase/numbers or special characters. They also had a database storing all the user passwords in plain text, which the hackers exploited to the hilt. It is often referred to as the 'RockYou Hack' and many other websites have faced similar situations often due to lack of proper security measures.

captcha codes

Today, literally anything can be hacked because technology has grown by leaps and bounds and impossible is nothing. Even the Captcha codes, which were meant to be decoded by humans are now under threat. The field of Artificial Intelligence is now developing at breakneck pace. Computers have become more efficient at cracking Captcha Codes than humans. So, it means that robot programs have any number of attempts at cracking a password. 

There are even programs to decipher the characters we enter into our smartphones through keystrokes. The character will be displayed as we enter it, and programs have been developed to read even that from a large distance. Keylogging is one of the oldest techniques for detecting passwords. There are popular applications like the keylogger which reads the characters we enter into our keyboards. Today, many online transaction services provide a virtual keyboard for users to enter their password to eliminate the risk of harmful websites trying to read the key logs. Users need to be educated about all these potential threats so that they can create strong and competitive passwords (I don't think anything can ever be foolproof in today's world).

Thus, it is very much important to be aware of cyber security and cyber forensics to make sure that we are not victims of hacking, phishing and the like. There is a lot we can learn by ourselves in this field because of the resources available online. We need to educate ourselves as well as spread awareness on this topic in our zone of influence. This will be one area where a lot has to be done because nearly everything is done and achieved through the internet. The security of security questions and the techniques of password-setting are arts that everyone needs to master.

PS: 

1) I guess there is a potential risk of misuse of the information I have provided here. I can only expect you to act responsibly. If you feel like I should remove this post because it may be misused, please let me know. :)

2) Whatever little I have written here are based on my own experiences, incidents I have heard and articles I have read. If there is any factual error or any modifications to be made, please let me know.