What is your mother’s maiden name? What is the name of the street you grew up on? We’ve all read these questions logging into dozens of websites we access on a daily basis. They’re in place to secure our accounts, so in case we forget a password, we can reset it to something easily remembered … and, unfortunately, often easily discovered.
In this connected age, these privacy questions offer very little security. A criminal needn’t hack a thing to mine this kind of data. They simply have to look at your LinkedIn profile, your Instagram or Facebook page, or your website or blog. If you’re counting on privacy settings to keep the name of your favorite pet out of a criminal’s reach, you might want to think again.
Using these legal sources, it only takes a hacker minutes to discover your maiden name, family members, pets, current and former addresses, high school and its mascot, as well as current and past employment. And with a few more minutes and some not-so-legal research, he or she can retrieve personal information exposed by any past data breaches. (I think we all may have gotten that sheepish email from a company at least once.)
So while we all may have heard this before, is it really true? Color me skeptical. I mean, I know some of this information is out there, but wouldn’t it take a while to sort through? I asked a colleague who is a certified white-hat hacker to do a cursory search of my online information. And, believe it or not, he had access to all of the above personal information in less than 30 minutes.
Not only does this information provide a pretty good concept of what a person’s password choice might be, but if a hacker can’t determine your password, they can readily go in and reset it.
Thankfully there are some steps you can take to protect yourself. You need to reconsider how you choose passwords and the answers to security questions. In short, make it up. When the bank wants to know your mother’s maiden name, use a false one. The next time you access your credit card website, go into your account settings and switch the name of the street you grew up on. Choose answers you’ll remember, but that are distant enough from your life and online presence that they won’t be apparent.
And for the password itself, instead of picking a word, experts recommend picking a phrase. This can be a line of poetry, the title of a song or story, or a song lyric. In addition to the dissociation from typical password sources, the length alone makes it exponentially more difficult to decipher. And if you’re absolutely unable to remember a different passphrase for each account, consider using a password manager. This will keep your passwords secure and you’ll only have to remember the passphrase to the manager itself to gain access to the others.
So, in short, alter egos aren’t just for superheroes anymore. If you’ve always wanted to be someone else for a day, now’s your chance. Let your secret identity choose your passphrases and answer the recovery questions, and keep them just that, secret.