Why you should lie in your password-recovery questions

Mashable
Mashable
Jan 13, 2020 · 3 min read

The truth is overrated. At least when it comes to protecting your online accounts.

BY JACK MORSE

Image for post
Image for post
Image: Martin Barraud / Getty

Sometimes, the safest choice is to lie.

We’ve all been there: You try to log into a rarely used online account only to realize you’ve forgotten the password. It’s password-recovery time, and before you know it you’re scratching your head trying to remember the name of your first pet and what your favorite movie was 3 years ago. You’ve already screwed up, just not in the way you think.

Your first mistake, it turns out, was answering those dumb security questions accurately in the first place. The idea of password-recovery questions is simple. If you forget your login credentials, there’s a backup way to get into your account. The problem is that often the information required to pass those minor-security hurdles is easily found via a quick Google search.

Just ask former vice-presidential candidate Sarah Palin. In 2008, a 20-year-old college student broke into Palin’s Yahoo email account. He accomplished this task by using the internet to determine her ZIP code and birthday, and then resetting her password via the password-recovery tool.

Essentially, he just Googled his way into her account.

And while we shed no specific tears for Mrs. Palin, the lesson learned is still a painful one. Answering password-recovery questions honestly is opening yourself up to a potential hack. We all know this, and yet many services still require you to answer their dumb questions in order to create an account.

There’s a way around this, of course. Lie.

But before we get into that, a quick note: You should use a unique password for every single online account you have. That’s a different password for Twitter, Gmail, Reddit, Netflix, Spotify, and whatever other online services you may use. That’s because when one platform gets hacked (and stuff always gets hacked), bad actors will often try something called credential stuffing — entering email and password combinations stolen from one service into other online services — in an effort to leverage the hack of, say, a Dunkin’ Donuts account into illicit access to someone’s bank account.

Sure, remembering all those unique passwords is difficult. That’s why you should use a password manager. Services like LastPass and 1Password only require you to remember one strong passphrase (and use multi-factor authentication), and then they do the rest.

Image for post
Image for post
Image: Screenshot / Lastpass

Password managers also have another handy feature for the security inclined. Specifically, you can save “secure notes” on LastPass and other similar services.

That means, instead of having to remember the real answers to your password-recovery questions — potentially setting yourself up for a Sarah Palin-style hack in the process — you can just make up random gibberish (or use diceware to create something even more secure).

That way, anytime you forget your password and are prompted to answer recovery questions you can log into your password manager and pull up your fictional answers.

Of course, with a password manager you likely won’t find yourself in that position in the first place.

Originally published at https://mashable.com

Mashable

Mashable is for superfans.

Mashable

Written by

Mashable

Mashable is for superfans. We’re not for the casually curious. Obsess with us.

Mashable

Mashable

Mashable is for superfans. We’re not for the casually curious. Obsess with us.

Mashable

Written by

Mashable

Mashable is for superfans. We’re not for the casually curious. Obsess with us.

Mashable

Mashable

Mashable is for superfans. We’re not for the casually curious. Obsess with us.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store