“Secret Questions” – Why you should lie until your pants catches fire

At some point in all of us have probably forgotten their password, but luckly the site or service that you need the password for has this magic password reset questions (also known as secret question). These are questions that are meant to have simple answers that only you can remember, so you can be positively identified as you and not an evil hacker trying to get access to your account. Password reset questions are often something like this:

◦What is your mothers maiden name?
◦What is the name of your first grade teacher?
◦What is the name of your favorite football team?
◦What is the name of your first pet?
◦What was the name of the street where you grew up?
◦….etc etc

As you can see they are questions that everybody should be able to remember the answer to. The thing is that these type of questions are a bit too simple and to easy. The thing is that after social media entered into our lives many of us have short bio’s available online for everyone to see. Telling the world that you grew up in a cosy streed called Evergreen Terasse , that your first pet was the a puppy called Kerbero, and that you will neverforget the loving Mrs Oswald you had as a teacher in first grade. In addition you might also have public profile on ancestry.com describing your lineage bot on you mothers and fathers side.

As you can see many of the answers of these questions are available online with a little reasearch, and for people that know what they are looking for it can be very easy to stich together a list of plausebal answers to such quetions that are used as “safeguards” to identify you.

You can also fine these type of questions in some of our systems. A good example is the self-help function in the disk encryption tool used to protect the data stored on our company laptops. Even if there is a restrected number of attempts you that you can answer before you need to call servicedesk, some of the questions can easiliy be answered by someone else if they do some reaserch into your profile on different social media sites.

So how can you avodi that someone that put some effort into reasearching your profile can actuially use that information to reset your passwords and gain access to your accounts? Well I know your mother probably told you to never do this but you could lie. lie until your pants catches fire, becaue the important thing here is that the lie must be so good that you can remember it so you can answer the questions correctly. If possible you should consider not relying on password reset questions, but maybe try a password manager instead

In addition you should also be careful on how detailed your online bio’s are, since that information also can be used for identity theft in addtion to getting access to your online accounts. The information in such bio’s can also help hackers guess your passwords ( one of the mehtods used in the apple celebrity hacking scandal last year).

Learning to fly

So.. I have turned 40 (tbh I’m staring 43 straight in the face) And I guess its time to have a midlife crises. Even though I have spent many years within the field of cyber security but I have never seem to have the time to dabble within the filed of penetration testing (I have always left that to the “geeky young people….” So no in my midlife crises armed with Kali Linux, a pine apple and a rubber ducky i have decided to learn my self some pen testing to expand my horizon. I guess my current level would be Newbie script kiddie 🙂