Security questions are insecure how to protect your accounts

How do you answer online account security questions? Honest answers? Unfortunately, your honesty could create a chink in your online armor.

When we sign up for a new online service, we are invariably asked to create a password, securing the new account. If you’re sensible, you choose a long, completely random string or let a password management app do the work for you. Next in the sequence comes security questions.

These questions usually ask for your mother’s maiden name, the name of your elementary school, the name of your first pet, and so on. Designed to keep our accounts safe from would-be hackers, the security questions should act as an extra line of defense.

How do you answer those questions? Do you tell the truth, the whole truth, and nothing but the truth? Unfortunately, your truthfulness could be creating an unexpected chink in your online armor. Let’s take a look at exactly how you should be answering security questions.

Password Hints Damage Your Security

Password hints are undoubtedly helpful. A helpful hint will be displayed if you forget your Windows password. And this is after only a single failed attempt. In the case of the Windows password, your hint should refresh your memory. It reminds you to use a hint you have selected, so you can be as cryptic or open as you feel.

Security questions are different. We regularly face the familiar question combinations mentioned above, and willingly provide accurate answers. Security questions are presented as an additional line of defense. However, you should consider the relative ease of obtaining some of the answers in today’s ultra-connected society.

Security researchers regularly deride security questions as lackluster. Can we have faith in a security measure whose answers can be so readily discovered?

Use Strong, Single Use Answers for Security Questions

Attackers prey on the easy questions—colors, maiden names, first pets—because they’re easily obtainable through social media accounts. To make matters worse, if your account uses extremely specific questions and answers, an attacker can eliminate other potential passwords.

For instance, if the security question was “Where did you purchase your first car?” the attacker can immediately disregard other, easier answers. If the question is, “What is the name of your hometown?” it’s simple for an attacker to scan through your Facebook or LinkedIn account to reveal the information (if listed, of course).

I’m sure you’ve already twigged the obvious solution to this security problem. If the attacker is looking for an answer that directly relates to you, why not use something completely different?

  • What is your mother’s maiden name? fa1c0npunc4
  • Where did you meet your spouse? b1cycl3tyr3
  • What was the name of your first pet? n0str0d4mu5

Okay, they’re terrible examples, but you catch the drift. If the answer is a) obscure and b) uses random characters, you’ll immediately set the security bar of your accounts that bit higher.

Randomize Your Security Questions to Boost Your Security

Randomizing or using a unique answer for your account security questions will boost your security across the board. However, security questions and answers themselves are frowned upon as a security method in general. According to the National Institute of Standards and Technology (NIST), security questions should no longer be used as an account authentication method. Paraphrasing from NIST Special Publication 800-63B, security questions amount to account authentication, so making them easier to guess and use than regular authentication methods (i.e., passwords, two-factor/two-step verification) defeats the object of the process.

A 2015 Google study into security questions and answers analyzed the secret security questions given by their monumental user-base, revealing that security answers are a vulnerable form of security as users often attempt to harden their answers but do so in an entirely predictable manner.

Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate.

Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.

Why do we attempt to lie, but then do it so badly? As you can see in the following charts, the majority of respondents provide false answers with the belief it will increase their security. We can then assume that the general public (albeit a tiny snapshot of an enormous database) do understand that the security questions can and will be used against them.

Why questions like “What is your mother’s maiden name?” and “What did you do last summer?” don’t protect you.

Security questions are insecure how to protect your accounts

September 16, 2016

In the beginning of 2012, I got a MacBook. At the time, I knew little about gadgets, and I was not planning to buy any other Apple devices. I powered up the laptop and created an Apple ID account. As requested, I chose a password and several security questions.

Four years later, I have an iPad as well, and of course I’ve purchased several interesting apps (some of them I found in this list made by my colleague). My account became valuable to me, and I started thinking about its protection. That’s why I decided to turn on two-factor authentication.

It wasn’t as easy as it should have been; Apple wouldn’t allow me to change anything in the Security tab until I could answer my security questions perfectly. And the answers I put in did not match.

When I tried to change the security questions, I found out that the secondary e-mail used to perform such operations was not verified. I still have no idea why Apple would treat an unverified e-mail as active, but it did, and thus began an endless circle.

I clicked the Verify Email link several times but received no confirmation e-mails. Everything was going wrong. It wasn’t a good time to ask tech support for help, so I had only one way out — I had to hack my own security questions.

How I hacked the questions

The questions that I chose four years ago were not so difficult. But thinking about the answers, I realized that anybody could figure them out by looking at my CV or social network account.

Where was your first job?
LinkedIn is an obvious place to find the answer to this question.

Where did your mother and father meet?
My parents grew up, met each other, and got married in the same city where I was born. A lot of people have the same life story. And many people list their native cities on social networks (and social networks usually ask people to do that!). This question is not secure at all.

What is your favorite children’s book?
Well, I had several favorite books as a child, but the most likely answer was The Hobbit, by J. R. R. Tolkien. Like the other answers, this one wasn’t exactly a secret: First, the book is very popular. Second, my university friends and classmates know that I wrote several term papers about The Hobbit. My half-finished dissertation was devoted to eleven translations of The Hobbit into Russian! In the end, the only mystery about this question was whether I wrote the shorter title or the full name — “The Hobbit, or There and Back Again” — four years ago.

Security questions are insecure how to protect your accounts

If I knew all of the answers, then why didn’t my answers match? It’s simple: I had English as the main language of my account, and that meant the security questions were also shown in English. But four years ago I answered them in Russian. When I switched languages and reentered the same answers, they matched. But even for people who don’t switch languages, security answers may become problematic: Did you use proper capitalization? Abbreviations? Nicknames?

I began thinking about what makes a good security question — and answer.

What is a good security question? If you have to choose a question from a list, which should you choose?

Five criteria help us distinguish good security questions from bad.

1. Obscurity — questions must be hard to guess or research. For example, a favorite of many banks — your mother’s maiden name — sucks for sure. I won’t waste your time covering the 9000 ways to figure that one out.

2. Stability —answers must not change over time. Avoid “favorite” questions: Your favorite job, food, band, movie, restaurant, vacation spot might change in a few years.

3. Memorability — we enter passwords relatively often, but it’s rare we have to answer security questions. Even if you remember the name of your first-grade teacher when you’re a teenager, you may have forgotten it by the time you’re in your thirties — or sixties — so try not to choose questions whose answers you’re likely to forget in a decade or two.

4. Simplicity — some questions have multiple correct answers. Where was your first kiss? That might be “New York,” “New York City,” “NYC,” “Central Park,” or at least a few other options. Don’t give yourself easy options to fail; avoid questions you might answer in a variety of ways.

5. Choice multiplicity — questions that require “yes” or “no” answers are terrible. Even a stranger has a 50% chance of guessing right! Good security questions can be answered in infinite ways — and you should be the only person who knows the right answer.

Beware social media phishing

You’ve probably seen some social media surveys or quizzes inviting you to wax nostalgic and share the “first 7 places I worked…” or “your first airplane trip….” Those are a treasure trove for social engineers. Actually, they often originate with criminals.

Security questions are insecure how to protect your accounts

If you want, you can change the answer to even the worst security question ever such that nobody could guess it — what is your mother’s maiden name? XCU*(&S1042! — but of course, you need to be careful not to confuse yourself as well.

As a better option, you might take the maiden name Woodhouse and strip it down to the consonants: wdhs. Evenly intersperse the birth date 04.08.80 to get 04wd08hs80. Not a brilliant trick, but much better than the original.

This kind of method is best for those security questions you have to answer often — for example, when you call your bank. If you have to remember it from time to time, the combination will stay fresh in your memory.

Ultimately, however, there are better ways to protect your accounts than security questions — for example, two-factor authentication.

Is it a good practice, or is it obsolete? I’m asking because I’ve never managed to remember a single security question, thus I always write down the answers. I think they are useless, long passwords or 2FA is a much better practice.

Security questions are insecure how to protect your accounts

Security questions are insecure how to protect your accounts

5 Answers 5

For a security question ot be good, it must:

  1. Have one definitive unambigious answer that the user would never forget.
  2. . but is secret and hard to guess for everybody else.

The problem is that the higher you score on #1, the lower you score on #2. So you have to walk a tight rope here. If you lean to far towards #1, users will forget the answer and brick their accounts. If you lean to far towards #2, anyone can guess the answer and the question becomes essentially useless.

There probably is no sweet spot here. So should we just ditch the whole concept?

Well, it depends.

Security questions can be used in many ways.

Let’s start with a very bad way to use them – as the only protection for account recovery and password reset. The answer to the question basically becomes a second password that is both easier to crack and guess than the first. That’s just spectacularly bad. If you don’t believe me, ask Sarah Palin.

That usage pattern is probably what have given security quesitons their bad name. But is there actually some other legitimate use case for them? Maybe. How about this:

  1. As a poor mans 2FA for login or sensitive actions.
  2. As a check before sending password reset emails.

In both cases, a determined attacker could find the right answers. But not all attackers are determined. A simple security question could make large scale automated attacks after big data breaches impractical. If I have a million passwords from site A, I can’t just test them on site B if B also requires a security question. Or if I breach an email provider, I can’t send a million password reset links from all sorts of sites, because I don’t know the answer to the security questions.

The backside here is the contradiciton discussed above – the less obvious the answer to the security question is, the more likely users are to brick their account by mistake. There are better solutions here, like real 2FA or account recovery codes. But implementing 2FA can be hard, and so is getting your users to actually print and store those pesky recovery codes. So sometimes, for pragmatic reasons, a security question might a good compromise.

That is the best case I can make for them. I’m not sure if it’s a good enough case to actually ever use them.

Security questions are insecure how to protect your accounts

What’s your mother’s maiden name?” How many times have you been asked to answer this question when you create an account? Do you give the right answer? Let me explain why you shouldn’t give the correct answer to this or any other security question.

Today, we’re going to talk about how to answer security questions securely to protect your accounts and privacy online.

The Threat

How many people know your mother’s maiden name?

How many people know your favorite color?

How many other people have the same favorite color as you?

The problem with the answers people choose for security questions is that they’re too easy to guess.

An analysis by Google and Stanford in 2015 found that most users’ answers were insecure. They could be easily guessed or found through basic research. There’s no reason to think things have improved since 2015. Here are some of the problems summarized in the report:

Questions with common answers. Many personal knowledge questions have common answers shared by many in the user population which an adversary might successfully guess. Schechter et al. were able to guess approximately 10% of user’s answers by using a list of other answers provided by users in the same study.

Questions with few plausible answers. A number of potential questions, such as “who is your favorite superhero?” have very few possible answers. An empirical study … found that 40% had trivially small answer spaces. User-chosen questions appear even worse: … the majority of users choose questions with trivially few plausible answers.

Publicly available answers. Rabkin found that 16% of questions had answers routinely listed publicly in online social networking profiles. Even if users keep data private on social networks, inference attacks enable approximating sensitive information from a user’s friends. Other questions can be found in publicly available records. For example, at least 30% of Texas residents’ mothers’ maiden names can be deduced from birth and marriage records.

Social guessing attacks. Users’ answers may be easily available to partners, friends, or even acquaintances. … acquaintances could guess 17% of answers correctly in five tries or fewer.

You might think, “Well, security questions only matter if I lose my password and need to get back into my account.” But that’s overlooking the fact that anyone can try using your security questions to reset your password and log into your account.

How To Answer Security Questions Securely To Increase Your Security

You don’t want to use answers that others could guess or figure out through research. The best way to do this is to provide false answers. It turns out that many people already do this. The Google and Stanford report mentioned above says,

We found that a significant cause of this insecurity is that users often don’t answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.

For example, when asked “What city were you born in?” people try to be clever and give an incorrect city. But, they tend to choose a city that many others also chose (whether they did so honestly or not), such as Paris.

If the question is “What city were you born in?” don’t use a less-popular city or fictional city (such as Minas Tirith) and think you’re being clever. Others are likely to use the same answer (though not as many as will use Paris). Instead, use a word or words that don’t answer the question, such as magnet or Megatron or, even better, urBFbaFv3HMl.

Be sure to choose answers that it’s extremely unlikely someone else would use. You can even let your password generator — I use LastPass — create an answer. However, be aware that some websites don’t allow special characters in security questions. Some don’t even allow spaces, so you can’t use more than one word (although you could always smash multiple words into one string of text). Also, consider that you may need to give your answers over the phone. For example, I have a financial account for which I used a long, randomly-generated answer that contains special characters. There have been several times that I’ve needed to spell it over the phone, which is a pain.

Some websites let you create your own security questions. If this is an option, do it! Be sure to make your questions nonsense, too, and irrelevant to your answers. For example:

Question: rhododendron
Answer: malevolent

Question: 1AWEBdm6JI
Answer: NvX8z4yJzmu

You may ask, “How am I supposed to remember these nonsense answers?” You don’t need to. Save them in your password manager. I store my passwords in LastPass, and I use the Notes field to store the security questions and answers.

Security questions, also known as challenge questions or secret questions, are a way to help you recover access to accounts when you forget your passwords. Security questions are meant to protect your accounts but they can actually provide hackers with a loophole to break into your accounts.

Recently, Google’s search findings show that “easy security questions aren’t secure and difficult answers aren’t usable.” Many companies pile on more security questions in an effort to make this insecure method more secure, however this practice also is at the expense of usability. Too many questions, make it hard for actual account owners to recover their accounts which then drives calls to the Service Desk. Google concludes that security questions should be the last resorts when no other alternatives are available. A few examples of easy security questions commonly used today:

  • What is your favorite food?
  • What is your city of birth?
  • What is your first teacher’s name?
  • What is your father’s middle name?

Answers to the above questions are easy to social engineer. Social engineering is a form of hacking – a hacker tricks the system into thinking they are an authorized user by using information that is readily available.

Take a look at your own social media profiles, how much information is available out there for a hacker to pretend to be you? What about those “Get to Know Me” questionnaires that get passed around between friends on Facebook? People readily share personal details as a way of finding commonalities with their social network, without considering the risks.

Two hacking incidents should serve as sobering wake-up calls for those that still believe in security questions. In 2014, the world experienced the biggest leak of celebrity nude images in the history of the Internet. The iCloud accounts of several Hollywood celebrities were compromised by a targeted attack on their user names, passwords, and security questions. In 2008, Sarah Palin’s Yahoo! Email account was hacked in the run-up to the 2008 election. All the hacker did was use the password reset prompt and answered her security question which was “Where did you meet your spouse?”

‘Don’t have one’ and ‘I don’t know’ among easiest answers to guess

Did you lie about your father’s middle name to make it harder for cybercriminals to get into your email account? Chances are that you actually made your account less secure, a new study suggests.

Google researchers examined how hard it was to guess the answers to “personal knowledge” security questions that are often used to regain access to your email account if you forget your password. What they found was not reassuring.

“Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords,” said a peer-reviewed paper presented last week at the International Conference on the World Wide Web in Florence.

“Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully.”

  • Read the full paper

Lead author Joseph Bonneau told CBC News that the most common fake answers are more predictable than the most common real answers for things like surnames.

And answers such as “Don’t have one” or “I don’t know” were particularly ineffective.

Because of the problem with fake answers, the study found that a clever attacker could guess 4.2 per cent of English-speaking users’ answers to the question “Frequent flyer number?” with a single guess.

No good questions

Bonneau, who has now left Google and is working as a post-doctoral researcher at Stanford University, said researchers have always had a sense that security questions weren’t very secure, but his team wanted to “put out in black and white exactly how insecure and unreliable” they were. To do that they looked at how easy it was to guess the answers to security questions provided by Google users over the past five years.

The researchers hoped to identify the best possible security questions — those that generated answers both secure (having a huge set of possible, hard-to-guess answers) and memorable.

“Nothing we looked at was good on both counts,” he said. “If there is some question out there that will manage to do both things at once, Google wasn’t able to find it.”

While the study only looked at Google accounts, Bonneau thinks the findings likely apply to other accounts that use security questions, as the pool of questions used tends to be similar.

Tips for users

Based on his results, Bonneau makes a couple of recommendations:

  • Avoid generic fake answers like “I don’t know” or “Don’t have one.”
  • Try to have an account backup mechanism that is more secure than security questions — for example, registering your phone number and getting Google to send an account recovery code to the phone.

As for web services, he recommends that if these types of security questions are used, they should be used along with other ways to verify a user’s identity.

“It’s not secure if this is the only thing that needs to be answered to regain control of an account.”

The inception of passwords in the 1960s changed the digital world as we know it. Passwords are now an unconscious standard practice in the lives of most, and from your first pet to the street you grew up on, they are deeply ingrained in our minds.

The first passwords introduced the concept of authentication to cybersecurity, or the ability to prove one’s identity through a passcode, PIN, security question, or other secret means of identification. But passwords are not secure, and never have been—almost immediately after passwords were invented, the first breach occurred. The history of passwords has been a strange, inconvenient journey, but one that has led us to much better authentication solutions.

The Past

Fernando Corbató first presented the idea of passwords at MIT in 1960, without any idea of the huge societal and security impact it would have. At the time, the Compatible Time-Sharing System (CTSS) had recently been developed and was available for research use, but lacked a way to secure private files by user. Enter the password.

For years, the password was something only used in research and academic circles, without any major real-world applications, but as computers became more accessible, hackers attacking operating systems became more prolific, frequent, and targeted. When computers began to make their way into homes and offices, the true weakness of passwords was discovered.. Even Beyond Identity founder, Jim Clark, recognized his role in making the password a commonplace form of authentication.

But there is good news on the horizon: what was originally considered a pitfall of owning a device is now something we can fight back against with passwordless technology.

The Future

Since the early years of passwords, we have seen many transformations in digital identity and authentication, but some things, unfortunately, remain the same. In 2020, the Verizon DBIR reported that over 80% of data breaches involved the use of lost or stolen credentials, further proving that passwords are just as insecure as they were in the 1960s.

But we are no longer relegated to the CTSS or insecure authentication methods, and that’s where Beyond Identity comes in. Rather than trying to enhance password security or add additional factors or security questions, we eliminate the insecure factor altogether—passwords.

Beyond Identity provides seamless and secure passwordless authentication. See for yourself how Beyond Identity can help you securely authenticate users, stop breaches, and prevent hacks.

Good account security practices help to keep us, and our information, safe.

The compromise of your UQ account or other online accounts by cyber criminals could have serious consequences, such as identity theft, or breaches of UQ information and systems. Good password management and account security practices can help to keep our accounts secure and minimise the risk of compromise.

Use strong passwords or passphrases

A strong password is long, complex (difficult to guess) and unique. (A password manager application can generate and store strong passwords for you.)

Strong passwords should:

  • include at least 10 characters (this is the minimum length for UQ account passwords).
  • include upper and lower case letters, at least one number, and at least one special character (approved characters are: # $ % ‘ ( ) * + , – / : ; < = > [ ] ^ _ `

A ‘passphrase’ is a type of password created by combining whole words (i.e. a phrase); this is a simple way to create long, strong passwords that are easy to remember. Special characters and numbers can be included to further increase the strength of a passphrase (e.g. 2Book#Shoes%).

To create a passphrase:

  1. Select 2 or 3 random words.
  2. Add a special character between them.
  3. Capitalise some of the letters.
  4. Add at least one number.
  5. Check that the passphrase is at least 10 characters long. If not, add more words, numbers or special characters.

When creating your password or passphrase, avoid using:

  • & ? ! “ @ \ or a space
  • anything too similar to your current password (e.g. don’t just increase the number at the end of your current password)
  • anything close to a single dictionary word or common term or phrase
  • your name, phone number, date of birth or any identifying information
  • other personal information (e.g. car registration, maiden name, address)
  • a password you have used before
  • duplicate characters (e.g. aaabbbccc) or keyboard patterns

You can visit the Have I been pwned website to find out if any websites or services you have used are known to have been compromised.

Store passwords securely (use a password manager)

The most secure place to store your password is your memory, but this can be difficult with so many different accounts and passwords to memorise (remember, strong passwords are unique).

A personal password manager is an application that stores all your passwords in an encrypted database, protected by a single master password. This is a secure and convenient way to store passwords for all the accounts, websites and services that you use.

Password manager benefits

  • You only need to remember one password to have access to all your accounts.
  • Can generate new passwords for your needs; no need to think of new passwords, and the generated passwords can be stronger (longer, more complex and unique) as you don’t need to be able to memorise them.
  • Automatically fills in usernames and passwords for many online forms and applications.
  • Synchronised and accessible across all your devices. Most password managers support a wide range of operating systems, devices and web browsers (via browser plugin or extension), so you can access your passwords anywhere.

Getting started with password managers

There are many personal password manager applications available; basic functionality is usually free, additional features are sometimes available with a subscription or payment. Researching options is recommended to choose a service that is reputable and meets your needs.

Recommended password managers include:

  • LastPass
  • 1Password
  • Norton Password Manager

When setting up a password manager:

  • Use a strong passphrase to protect your password manager account. Enable multi-factor authentication (if available)
  • Install the application on all your devices. Install browser plugins or extensions for any web browsers that you use.
  • Begin storing passwords for your existing accounts in the password manager. Most of the time, it will ask to do this whenever you log in somewhere.
  • Once you have stored a password, you should delete it from any other location it is stored (e.g. email, web browser).

Web browser password storage and Apple ‘iCloud Keychain’

Most web browsers contain built-in password managers and will offer to remember and automatically fill passwords for you. These are not recommended for the following reasons:

  • Access to your passwords only within a specific browser is a significant limitation; standalone password managers applications enable you to access your passwords almost anywhere, which is highly beneficial for most people.
  • Web browsers often permit access to stored passwords without requiring authentication. In these cases, somebody with remote or physical access to your device could gain unrestricted access to your saved passwords via the browser.
  • Web browser password managers often lack features compared to standalone password managers (e.g. MFA).

Apple’s ‘iCloud Keychain’ password manager is available on Apple devices and the Safari browser, unfortunately it does not support non-Apple platforms. Unless you use Apple devices exclusively, a standalone password manager that enables you to access your stored passwords on any device is recommended.

This morning I discovered that one of my favourite bands had released a new album. As a loyal fan looking for some new music to listen to on a Friday in the office, I promptly clicked “Buy Album”.

Normally at this point the album will begin downloading, and thanks to the 100Mbps connection to my desk I’d typically be listening to the album in a minute or two.

Today this was not to be. Instead of my download beginning, a dialog box appeared with the text “To help ensure the security of your Apple ID, you must confirm your password and answer your security questions.”

I was puzzled as I already had a custom security question set on my account in the form of challenge-response. This type of security method is where I set my own question, and then respond with the appropriate answer that’s known only to me (and can be unique for each site).

Apparently this is no longer adequate for Apple, and I’m now being forced to enter three answers from their predetermined list of questions. Questions that if you know me, or even spend some time stalking me on social media you could probably figure out.

Let’s have a look at these questions and why they’re bad.

Answer #1

Answer #1 requires you to select an answer from one of the following questions:

  • What was the first car you owned?
  • Who was your first teacher?
  • What was the first album you owned?
  • Where was your first job?
  • In which city were you first kissed?

Answer #2

Answer #2 requires you to select an answer from one of the following questions:

  • Which of the cars you’ve owned has been your favourite?
  • Who was your favourite teacher?
  • What was the first concert you attended?
  • Where was your favourite job?
  • Who was your best childhood friend?

Answer #3

Answer #3 requires you to select an answer from one of the following questions:

  • Which of the cars you’ve owned has been your least favourite?
  • Who was your least favourite teacher?
  • Where was your least favourite job?
  • In which city did your mother and father meet?
  • Where were you on January 1, 2000?

Why they’re bad

If you’ve used a social network like Facebook or MySpace you’ve no doubt seen those “fun” questionnaires that get passed around between friends. They contain questions like “What was the first car you owned?” and “Who was your favourite teacher?”. Guess what? Every single one of Apple’s “security questions” I have seen on social network questionnaires over the years.

I’ve never answered one, but I know plenty of people who have. If they use iTunes and in all likelyhood they do if they have an iPod, an iPhone or similar then they’re going to be vulnerable when Apple forces them to enter these insecurity questions.

Let’s look at some of the other questions. The first question from each list pertains to a car that I’ve owned, except I’ve never owned a car as I live in the city. This immediately excludes this as a possible answer for me.

Other questions ask “in which city were you first kissed”, along with the city where my parents met and where I was on January 1, 2000. It’s not hard to figure out that I was born in Sydney, I grew up in Sydney and I live in Sydney. Could it be possible that the answer to all three of these questions is “Sydney”? Great, these questions are also excluded and even if they weren’t, Apple doesn’t allow the same answer more than once.

We can exclude questions about teachers. I finished school quite some time ago, and don’t remember my first teacher’s name. The same applies to my favourite and least favourite teachers.

Now let’s move to questions about jobs. Many people include their entire work history on sites like Facebook, and to some extent LinkedIn. How do you figure out a least favourite job? Well, looking at a person’s tenure might be a good start. Skip.

That leaves two questions out of the 15 we started with. “What was the first concert you attended?”, and “what was the first album you owned?”. I absolutely love music, and own a lot of albums. I’ve been to plenty of concerts too both as an adult and when I was younger.

And that’s it. It’s not possible for me to answer Apple’s security questions.

How have I overcome this?

I went back to my original challenge-response authentication approach where I would usually set the question and the answer. Except in this case I selected three random questions out of the predefined questions, and entered seemingly random responses.

These responses are as good as a password and have no correlation to the original questions at all.

What should companies do?

Even if a company insists on having one or more security answers, the questions and answers should always be able to be specified by the customer or user.

If someone insists on using an insecure set of questions then that’s their prerogative and is no more secure than where we are now.

It does however allow a user who is more security minded to ensure that their account is indeed secure.

Security questions are insecure how to protect your accounts

Your passwords are like the keys to your life. And when it seems like there’s another big security breach every week, you want to be absolutely sure your passwords are strong and safe. After all, with just a few keystrokes, a scammer can have full access to your personal information, financial accounts, social media pages and so much more.

But creating those perfect passwords – and remembering them – can be difficult.

Below, we’ve outlined 6 steps for creating and keeping super-strong passwords that will keep scammers guessing.

Step #1: Choose a password manager

With so much of our lives accessible online, it’s more important than ever to keep passwords secure. The best way to do this is to use a password manager. These services will generate strong passwords for all of your financial accounts, favorite websites and social media platforms and then keep them safely encrypted. You will only need to create and memorize one master password, which you will use when logging into all of your accounts.

There are lots of password managers on the market, but the ones that come most highly recommended are 1password, Lastpass and Keepass.

1Password and LastPass are both cloud-based services, and can be vulnerable to remote attacks. However, both services heavily encrypt your data and don’t store your one master password in the cloud. As long as that password is strong, you’ll be safe even if these services get hacked.

Step #2: Create an unbreakable master password

Once you’ve chosen your password manager, create a strong master password. This code can open up every password of yours to potential scammers, so be extra careful about choosing one that is super-secure and virtually unbreakable.

Scammers are becoming increasingly more efficient at password-cracking. They use multiple dictionaries which include English words, names, foreign words, phonetic patterns and more. They look for dates, commonly used substitutions, like “$” for “s,” “@” for “a,” and they run their dictionaries with various capitalizations.

Follow the rules below and you’ll have a strong password.

  • Make it long. Many sites require a password that is a minimum of 8 characters long, but a 12-character password is even stronger.
  • Be creative. Avoid using names, places and recognizable words because these are easily cracked.
  • Mix it up. The best way to keep your password unbreakable is to mix up your capitalization and the kinds of characters you use, switching back and forth from letters to numbers to symbols.
  • Don’t use any of variation of these commonly used – and commonly hacked – passwords:
    • 123456123456789
    • Passwordadmin
    • 12345678qwerty
    • 1234567111111
    • 1231231234567890000000
    • Abc1231234
    • iloveyouaaaaaa

    If you’re unsure about your password’s strength, you can run it through an online password checker, like the one on

    Bonus tip: Worried about creating and remembering a long, unbreakable password? Turn a sentence into a password by using mnemonics, misspelled words and symbols that only you will understand. Here are a few to get you started:

    • WOO!TAwonTWS = Woohoo! The Astros won the World Series!
    • D:’(OspldMlk.JdreenqOJ = Don’t cry over spilled milk. Just drink orange juice
    • 1tubuupshrtsin2Mpnts = I tuck button-up shirts into my pants.

    Once you’ve created a super-strong master password, work on memorizing it. Don’t store the password anywhere online or on your phone; write it down on an unmarked piece of paper. Rip up the paper as soon as you’ve committed the password to memory. This should happen fairly quickly since you will be using it quite often.

    Step #3: Update all your passwords

    Next, you’re going to sync all the websites and accounts you use with your password manager. Follow the guidelines on your password manager for this step, as they differ with each service.

    When you’re through, you’ll only be able to log into these sites by using your master password.

    Some sites you use might employ outdated systems that won’t work with a password manager. For these sites, you will need to use different passwords. You can slightly amend your master password for these sites or create new ones using the guidelines above. Never double passwords; use a different one for every site you use.

    Step #4: Use two-factor authentication

    Add another layer of protection by choosing two-factor authentication whenever you have that option.

    Step #5: Be careful with security questions

    Ironically, security questions are extremely insecure. Anyone can Google your dog’s name or your mother’s hometown. And, if all a scammer has to do to retrieve your password with the “I forgot my password” tab is answer a security question, the strongest passwords in the world won’t do you any good.

    Protect yourself by treating security questions like passwords. Never answer them truthfully. Instead, make up mnemonics or nonsensical answers that are hard to crack but easy for you to remember.

    Step #6: Don’t let your browser or phone “remember” your passwords

    Don’t be lazy; keep your passwords in your head and not on your devices. Otherwise, you’ll be in deep trouble if your computer or phone is swiped.

    Keep your passwords strong and safe. You don’t want to be an easy target for scammers!

    Often called “secret” questions and answers, security questions and answers are often used to recover forgotten passwords (see Testing for weak password change or reset functionalities (OTG-AUTHN-009)), or as extra security on top of the password.

    They are typically generated upon account creation and require the user to select from some pre-generated questions and supply an appropriate answer. They may allow the user to generate their own question and answer pairs. Both methods are prone to insecurities.Ideally, security questions should generate answers that are only known by the user, and not guessable or discoverable by anybody else. This is harder than it sounds.

    Security questions and answers rely on the secrecy of the answer. Questions and answers should be chosen so that the answers are only known by the account holder. However, although a lot of answers may not be publicly known, most of the questions that websites implement promote answers that are pseudo-private.

    Pre-generated questions:

    The majority of pre-generated questions are fairly simplistic in nature and can lead to insecure answers. For example:

    • The answers may be known to family members or close friends of the user, e.g. “What is your mother's maiden name?”, “What is your date of birth?”
    • The answers may be easily guessable, e.g. “What is your favorite color?”, “What is your favorite baseball team?”
    • The answers may be brute forcible, e.g. “What is the first name of your favorite high school teacher?” – the answer is probably on some easily downloadable lists of popular first names, and therefore a simple brute force attack can be scripted.
    • The answers may be publicly discoverable, e.g. “What is your favorite movie?” – the answer may easily be found on the user's social media profile page.

    Self-generated questions:

    The problem with having users to generate their own questions is that it allows them to generate very insecure questions, or even bypass the whole point of having a security question in the first place. Here are some real world examples that illustrate this point:

    • “What is 1+1?”
    • “What is your username?”
    • “My password is [email protected]$p1N”

    How to Test

    Testing for weak pre-generated questions:

    Try to obtain a list of security questions by creating a new account or by following the “I don’t remember my password”-process. Try to generate as many questions as possible to get a good idea of the type of security questions that are asked. If any of the security questions fall in the categories described above, they are vulnerable to being attacked (guessed, brute-forced, available on social media, etc.).

    Testing for weak self-generated questions:

    Try to create security questions by creating a new account or by configuring your existing account’s password recovery properties. If the system allows the user to generate their own security questions, it is vulnerable to having insecure questions created. If the system uses the self-generated security questions during the forgotten password functionality and if usernames can be enumerated (see Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)), then it should be easy for the tester to enumerate a number of self-generated questions. It should be expected to find several weak self-generated questions using this method.

    Testing for brute-forcible answers:

    Use the methods described in Testing for Weak lock out mechanism (OTG-AUTHN-003) to determine if a number of incorrectly supplied security answers trigger a lockout mechanism.

    The first thing to take into consideration when trying to exploit security questions is the number of questions that need to be answered. The majority of applications only need the user to answer a single question, whereas some critical applications may require the user to answer two or even more questions.

    The next step is to assess the strength of the security questions. Could the answers be obtained by a simple Google search or with social engineering attack? As a penetration tester, here is a step-by-step walk-through of exploiting a security question scheme:

    • Does the application allow the end-user to choose the question that needs to be answered? If so, focus on questions which have:
      • A “public” answer; for example, something that could be find with a simple search-engine query.
      • A factual answer such as a “first school” or other facts which can be looked up.
      • Few possible answers, such as “what model was your first car”. These questions would present the attacker with a short list of possible answers, and based on statistics the attacker could rank answers from most to least likely.
      • Does the password reset allow unlimited attempts?
      • Is there a lockout period after X incorrect answers? Keep in mind that a lockout system can be a security problem in itself, as it can be exploited by an attacker to launch a Denial of Service against legitimate users.

      The key to successfully exploiting and bypassing a weak security question scheme is to find a question or set of questions which give the possibility of easily finding the answers. Always look for questions which can give you the greatest statistical chance of guessing the correct answer, if you are completely unsure of any of the answers. In the end, a security question scheme is only as strong as the weakest question.

      Security questions are insecure how to protect your accounts

      If your bank, email, or shopping account is “protected” by these questions, and you answered honestly, someone can probably get into your account in just a few minutes of half-hearted Facebookery.

      Password generator: To the rescue!

      The Insecurity of Security Questions

      What’s wrong with security questions? In short: They’re like passwords, if you told all your friends your passwords, and maybe had the Justice of the Peace write them down in public records to be safe. (I mean, that is one way to avoid forgetting your password, I guess.)

      • They’re biographical.
      • People like to talk about themselves.

      Passwords are intended to be something secret that only you know.

      Security questions, though, have a bad tendency to be a few public or semi-public things that your close friends and family likely know off the top of their head and anyone else could probably dig up with a little work.

      Depending on the specific details, the answer to security questions might be a matter of public record—birth certificates tell where you were born, who your mother was, and what her birth name was. Or a matter of Facebook record, because everyone who follows you knows your favorite animal is “puffer fish,” your favorite book is Old English and Its Closest Relatives, and your favorite color is “octarine.”

      Managing Passwords

      So, security questions are passwords. Luckily, we live in a time of effective and readily available password managers!

      You have your choice of several options, from KeePass through LastPass to 1Password. Pick the one you’ll use and keep using, and hold it close.

      Treating Secret Questions as Passwords

      The key to making secret questions safe is to treat them just like passwords:

        Generate the secret

      Generate the Answer

      Here’s how you’d do this in 1Password.

      Create a new Login item:

      Security questions are insecure how to protect your accounts

      Find an empty section:

      Security questions are insecure how to protect your accounts

      Name the section “Security Questions” and label the first field with the question:

      Security questions are insecure how to protect your accounts

      Use the dropdown at the end of the field to tell 1Password that the field contains a password. This causes the password generator button to appear:

      Security questions are insecure how to protect your accounts

      Use the password generator button to generate your password:

      Security questions are insecure how to protect your accounts

      I recommend using the “Words” generator to make your life easier. As a bonus, enjoy the unintentional hilarity of asserting things like “my favorite hobby is, ‘trombone gauntlet cordon.’”

      Repeat the process of labeling the field with the question, marking the field as a password and generating a password for all other “security” questions:

      Security questions are insecure how to protect your accounts

      Gotcha: Speakable Answers

      There’s one catch with secret questions, and that’s that you might find yourself needing to read them over the phone some day to a customer service rep.

      You don’t want to find yourself trying to read out, never mind trying to ensure someone else can copy down, fifty characters of gibberish like “charlie uppercase-bravo hashmark space delta one niner tilde five…”

      Instead, take advantage of the ability to generate random words. You still rack up password length, but you have an easy shorthand to communicate your answer to anyone, because you can rely on their ability to understand and spell English words.

      Gotcha: Answer Length Restrictions

      If you’ve ever used a password generator, you’ve almost certainly run into this for the main password. Sometimes, there’s also a length limit on the security question answer. You’ll just have to keep whacking down the number of words in the generated output and regenerating till you get something short enough.

      There’s often terrible messaging around this, including the case where you get no feedback aside from getting dropped back at the form, with a mysterious error message if you’re extra unlucky.

      Like this case, where all the “must…” requirements have a green checkmark, and the website still hates my password and/or security questions:

      Security questions are insecure how to protect your accounts

      Take a deep breath, and keep trying. You’ve only got to set this stuff up once; as insecure as security questions try to be, at least no-one tries to make you rotate your answers to them!

      Print this article
      Indexing metadata
      Cite this article
      Finding References
      Email this article (Login required)
      Email the author (Login required)

      The Role of Multi-factor Authentication for Modern Day Security


      Multi-factor Authentication (MFA) often referred to as Two-factor Authentication (2FA), which is a subset of MFA, is the practice of implementing additional security methods on top of a standard username and password to help authenticate the identity of a user and increase the security of data.This chapter will investigate the problem with username and password logins, the different types of authentication, current best practice for multi-factor authentication and interpretations about how the technology will grow in the upcoming years.


      Full Text:


      [1] Archana, B. S., Chandrashekar, A., Bangi, A. G.,Sanjana, B. M. and Akram, S. (2017) Survey on usable and secure two-factor authentication.

      [2] Bošnjak, L., Sreš, J. and Brumen, B. (2018) Bruteforce and dictionary attack on hashed real-world passwords.

      [3] Tatli, E. I. (2015) Cracking More Password Hashes With Patterns.

      [4] Gautam, T. and Jain, A. (2015) Analysis of brute force attack using TG — Dataset.

      [5] Theocharoulis, K., Papaefstathiou, I. and Manifavas C. (2010) Implementing Rainbow Tables in HighEnd FPGAs for Super-Fast Password Cracking.

      [6] Kumar, H., Kumar, S., Joseph, R., Kumar, D., Shrinarayan Singh, S. K., Kumar, P. and Kumar H.(2013) Rainbow table to crack password using MD5 hashing algorithm.

      [7] British Standards Institution. (2017) BS ISO 9564-1:2017 Financial services. Personal Identification Number (PIN) management and security. Basic principles and requirements for PINs in card-based systems. BSI Standards Limited.

      [8] PayPal. (2014). Password and PIN security. Available: Last accessed 7th November 2019.

      [9] Rouse, M. (2015). knowledge-based authentication (KBA). Available: Last accessed 7th November 2019.

      [10] Schechter, S., Brush, A.J.B. and Egelman, S. (2009) It’s No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions.

      [11] How-To Geek. (2014). Security Questions Are Insecure: How to Protect Your Accounts.Available: accessed 7th November 2019.

      [12] FIDO Alliance. (2013). FIDO U2F Security Key.Available: Last accessed 8th November 2019.

      [13] Sudar, C., Arjun, S. K. and Deepthi, L. R. (2017) Time-based one-time password for Wi-Fi authentication and security.

      [14] Muppidi, S. (2017) Companies Need More Than Two-Factor Authentication to Keep Users Safe.Harvard Business Review Digital Articles, 2-4.

      [15] Kugler, L. (2019) The Trouble with SMS Two-Factor Authentication. Communications of the ACM, 62 (6),14-14.

      [16] Ghosh, S., Goswami, J., Kumar, A. and Majumder, A.(2015) Issues in NFC as a form of contactless communication: A comprehensive survey.

      [17] Haselsteiner, E. and Breitfuß K. (2007). Security In Near Field Communication (NFC) Strengths and Weaknesses. In: Goje, Amol C., Gornale, Shivanand S. and Yannawar, Pravin L. Proceedings of the 2nd National Conference on Emerging Trends in Information Technology (eIT-2007). New Delhi:L.K. International Publishing House Pvt. Ltd. 74.

      [18] Symanovich, S. (2019). How does facial recognition work? Available: accessed 9th November 2019.

      [19] Elets News Network. (2018). From July 1, authenticate Aadhaar through face recognition.Available: Last accessed 9th November 2019.

      [20] Mazumdar, J. (2018). RETINA BASED BIOMETRIC AUTHENTICATION SYSTEM: A REVIEW.International Journal of Advanced Research in Computer Science. 9. 711-718.10.26483/ijarcs.v9i1.5322.

      [21] Kapko, M. and Finnegan, M. (2018). What is Windows Hello? Microsoft’s biometrics security system explained. Available: accessed 11th November 2019.

      [22] Dasgupta, D., Roy, A. and Nag, A. (2016) Toward the design of adaptive selection strategies for multi-factor authentication. Computers & Security, 63 85-116.


      • There are currently no refbacks.

      This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

      Passcodes from SMS or authenticator apps are better than passwords alone, but hackers can exploit their weaknesses.

      Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, microprocessors, digital photography, quantum computing, supercomputers, drone delivery, and other new technology. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.

      Editor’s note: In recognition of World Password Day, CNET is republishing a selection of our stories on improving and replacing passwords.

      You’ve probably heard this security advice: protect your accounts by using two-factor authentication. You’ll make life hard for hackers, so the reasoning goes, if you pair a password with a code sent by text message or generated by an app like Google Authenticator.

      Here’s the problem: It can be easily bypassed. Just ask Twitter Chief Executive Jack Dorsey. Hackers gained access to Dorsey’s Twitter account using a SIM swap attack that involves fooling a carrier into switching mobile service to a new phone.

      For a broader look, check CNET’s coverage this week about password problems , some fixes like hardware security keys and password managers that you can start using today, reasons why some old password-picking rules are now obsolete and a cautionary tale about what can go wrong with a password manager .

      Banks, social networks and other online services are moving to two-factor authentication to stem a torrent of hacks and data theft. More than 555 million passwords have been exposed through data breaches. Even if yours isn’t on the list, the fact that so many of us reuse passwords — even alleged hackers themselves — means you’re likely more vulnerable than you think.

      Don’t get me wrong. Two-factor authentication is helpful. It’s an important part of a broader approach called multifactor authentication that makes logging in more of a hassle but also makes it vastly more secure. Like the name suggests, the technique relies on combining multiple factors that embody different qualities. For example, a password is something you know and a security key is something you have. A fingerprint or face scan is simply part of you.

      Authentication code interception

      Code-based two-factor authentication, however, doesn’t improve security as much as you’d hope. That’s because the code is just something you know, like your password, even if it has a short shelf life. If it’s swiped, so is your security.

      Security questions are insecure how to protect your accounts

      Hackers can create fake websites to intercept your information, for example using software called Modlishka, written by a security researcher who wants to show how seriously susceptible websites are to attack. It automates the hacking process, but there’s nothing stopping attackers from writing or using other tools.

      Here’s how an attack works. An email or text message lures you to the fake website, which hackers can automatically copy from the originals in real time to create convincing fakes. There, you type in login details and the code you got by SMS or an authenticator app. The hacker then enters those details into the real website to get access to your account.

      SIM swapping attacks

      Then there’s the SIM swap attack that got Twitter’s Dorsey. A hacker impersonates you, convincing an employee at a carrier like Verizon or AT&T to switch your phone service to the hacker’s phone. Each phone has a discrete chip — a subscriber identity module, or SIM — that identifies it to the network. By moving your account to a hacker’s SIM card, the hacker can read your messages, including all your authentication codes sent by SMS.

      Don’t dump two-factor authentication just because it isn’t perfect. It’s still vastly better than a password alone and more resistant to large-scale hack attempts. But definitely consider stronger protections, like hardware security keys, for sensitive accounts. Facebook, Google, Twitter, Dropbox, GitHub, Microsoft and others support that technology today.

      In light of major data breaches at retailers such as Home Depot and Target, please take a moment to review a few tips to help keep your accounts secure.

      • Be sure to use unique passwords for all financial online accounts. Never share or duplicate usage of your password, account number, PIN, or answers to security questions.
      • Monitor all of your financial accounts and report any suspicious activity, such as false or multiple charges, to your bank immediately.
      • Do not save credit or debit card, banking account or routing numbers, or other financial information on your computer, phone or tablet.
      • Be vigilant about using a password on mobile devices. Be sure to set your devices to automatically lock up after a selected period of time to ensure no one can access your smartphone, tablet, or laptop.
      • Do not provide your secure financial information over the phone or Internet if you are unsure of who is asking for it. Contact your community bank directly using the phone number from your bank statement or telephone directory, or stop in the bank to speak with someone in person. Remember, your community bank will never contact or text you asking for personal or banking information. Assume any unsolicited text request is fraudulent.
      • Be aware of the location of your mobile devices (smartphones, tablets) at all times. Only log on financial websites when you have a secure, safe, and trusted internet connection.

      If you think your financial data has been compromised, please notify the Bank immediately. The sooner the suspicious activity is identified, the sooner it can be resolved.

      Monticello, MO • (573) 767-5264 • (800) 385-3897
      Lobby Hours: M-F 8:00-4:00, Last Sat 8:00-12:00

      Canton, MO • (573) 288-5290 • (800) 254-5290
      Lobby Hours: M-F 9:00-4:00, Sat 8:00-12:00
      Drive-up Hours: M-Thur 8:30-5:00, Fri 8:30-5:30, Sat 8:00-12:00

      Kahoka, MO • (660) 727-3379
      Lobby Hours: M-Fri 8:00-4:00, Sat 8:00-12:00
      Drive-up Hours: M-Thur 8:00-4:00, Fri 8:00-5:30, Sat 8:00-12:00

      Security questions are insecure how to protect your accounts

      Every IT asset in your firm has a shared security characteristic—it’s only as secure as the password protecting it. Unfortunately, high-profile security breaches have shown over and over again that the majority of people use the same password for many, if not all, of their password-protected applications.

      This creates a dangerous gateway for attackers—if they’re able to uncover your password through a single insecure website, many of the critical systems in your office could be exposed.

      To protect your personal information and secure your office, you need to take steps to diversify and strengthen your passwords.

      Utilize a Password Manager

      The first step toward strengthening the passwords in your office is utilizing a password manager. Password managers, like 1Password or Keychain Access, provide a secure way for you to generate and store passwords for your various devices and applications. A password manager generates a different, strong password any time you need one, and you only need to remember a single, master passphrase to gain entry to your password manager. Basic password managers will secure and store passwords for a single device, while more advanced versions will allow a single user to manage passwords across multiple devices.

      It’s worth noting, however, that your password manager will only be as secure as the password you create for it. To ensure security, you’ll want to create a sophisticated passphrase for your password manager. Some tips for successfully doing this include:

      • Use both upper- and lowercase letters
      • Mix punctuation and numbers into your passphrase
      • Use a minimum of 12 characters
      • Don’t use anything that’s a word, slang phrase, or acronym in any language
      • Don’t include any personal information, like birthdays, social security numbers, or family names

      Security questions are insecure how to protect your accounts

      Every time a new website, application, or device asks you to create a password, let your password manager generate a unique password for you. Store this password in the manager with the name of the site / device the password is for, as well as your username.

      If a site or application asks you to answer security questions to recover a forgotten password, let your password generator create these answers, as well. Just make sure you save the questions themselves in your password generator along with their corresponding secure password (e.g., “First car make and model: 3LIF937kLN!345Jb”).

      Enable Multi-Factor Authentication

      Add another layer of security to your devices and accounts by enabling multi-factor authentication (MFA), also known as two-factor authentication. Multi-factor authentication is becoming increasingly available on websites and software applications, and requires you to supplement a username and password with a code that’s generated in real time and is sent to you via a separate device, usually a mobile phone. Without both your password and your unique authentication code, an attacker won’t be able to access your accounts.

      Remember, a strong, secure password is the best defense against an attacker trying to gain access to your firm’s most important systems. Use a password manager to generate unique, diverse, and secure passwords for each and every account you have. Whenever available, also enable multi-factor authentication to add another layer of protection for your sensitive information. In our next security step, we’ll examine another way to improve security in your firm—strengthening access to your Wi-Fi network.

      To learn more about improving security in your firm, download our latest e-book, “Building a Secure Practice: A guide for CPAs,” which offers step-by-step instructions for implementing security best practices.

      We have a range of technologies to keep your info secure. But it’s also important that you do a few things to keep your money safe.

      Protecting your account & cards

      Control your security settings

      The CommBank app and NetBank have a range of security features to keep you in control. You can:

      • Change your card PINs instantly
      • Lock your card temporarily if it’s lost or stolen
      • Lock in-store or online international transactions

      Keep a close eye on your account

      Turn Transaction Notifications on and we’ll instantly alert you when a transaction is made on your CommBank debit or credit card. It’s also important to regularly check your transaction history in NetBank or the CommBank app.

      If you spot anything unusual, call us on 13 2221 at any time.

      Register for NetCode

      For an added layer of security, register for NetCode so we can send you an SMS or push notification with a time-sensitive password, when you need to complete certain transactions. It’s an extra step to ensure you’re in control of what’s happening with your account.

      Update your payment limits

      Review your transfer, BPAY and International money transfer limits, to make sure they are suitable for your needs. If you don’t need to make any large transfers or payments, consider reducing them.

      Keep your account details safe

      If you need to be paid by someone you don’t know, consider using Pay ID. Once registered, you can receive payments without needing to share personal information such as your BSB or account details.

      Update your contact details

      We have advanced security and fraud detection systems in place, monitoring your account 24/7. If we notice any suspicious activity on your account, we’ll contact you.

      Security questions are insecure how to protect your accounts

      Debit & credit card security

      Security tips for using your credit or debit card when paying in-store, shopping online and travelling.

      Security questions are insecure how to protect your accounts

      Setting a strong, unique password and changing it regularly is key to keeping your accounts safe.

      Security questions are insecure how to protect your accounts

      How to spot a hoax or scam

      From strange looking emails and text messages, to suspicious phone calls.

      Staying safe online

      Avoid public Wi-fi

      Public Wi-Fi isn’t always safe and may enable cybercriminals to access your information. If you need to use public Wi-Fi, avoid online banking or online shopping when using networks you aren’t familiar with. Also switch off ‘auto-connects’, so you’re always in control of your Wi-Fi connections.

      Protect social media and email accounts

      Think twice before sharing sensitive personal information on your social media accounts. Hackers and cybercriminals often look to social media for personal information that can be used to aid identity theft and fraud. Ensure you aren’t sharing personal data online, including your address, birthdate, family information and even pet names.

      And remember to use different passwords for each of your accounts, change them regularly and enable two-factor authentication.

      Use anti-virus software

      Ensure you have the right level of protection for your laptop and computers. Anti-virus software protects against viruses, spyware, malware, phishing attacks, spam attacks and other online cyber threats. Keep your anti-virus software up-to-date and check regularly that it still meets your needs.

      Watch our free online security webinars

      To help you understand some of the ways you can protect yourself online, we’ve arranged for a CommBank online security professional to provide you with some tips via an online seminar.

      Practise your online banking skills in a safe environment

      Visit to access a free online course that teaches you how to perform common banking tasks securely from home.

      Need help?

      If you’re worried about the security of your account or information, we can help:

      Important information

      As the advice on this website has been prepared without considering your objectives, financial situation or needs, you should, before acting on the advice, consider its appropriateness to your circumstances. View our Financial Services Guide. Terms and Conditions for these products and services are available online or from any branch of the Commonwealth Bank. The Terms and Conditions should be considered before making any decision about these products.

      Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

      Closed 3 years ago .

      From Wired magazine:

      . the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

      We cannot trust such security questions to reset forgotten passwords.
      How do you design a better system?

      Security questions are insecure how to protect your accounts

      21 Answers 21

      The insecurity of so-called “security questions” has been known for a long time. As Bruce Schneier puts it:

      The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

      What can one do? My usual technique is to type a completely random answer — I madly slap at my keyboard for a few seconds — and then forget about it. This ensures that some attacker can’t bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don’t remember how I authenticated myself to the customer service rep at the other end of the phone line.)

      I think the better technique is to just send an e-mail with a link they can use to generate a new random password to the e-mail account the user originally used to register. If they didn’t request a new password, they can just ignore it and keep using their old one. As others have pointed out, this wouldn’t necessarily have helped Yahoo, since they were running an e-mail service, but for most other services e-mail is a decent authentication measure (in effect, you foist the authentication problem off on the user’s e-mail provider).

      Of course, you could just use OpenID.

      Out-of-band communication is the way to go.

      For instance, sending a temporary password in SMS may be acceptable (depending on the system). I’ve seen this implemented often by telecoms, where SMS is cheap/free/part of business, and the user’s cellphone number is pre-registered.

      Banks often require a phone call to/from a specific number, but I personally am not too crazy about that.

      And of course, depending on the system, forcing the user to come in to the branch office to personally identify themselves can also work (just royally annoy the user).

      Bottom line, DON’T create a weaker channel to bypass the strong password requirements.

      Having seen a lot of posters suggest email, all I can suggest is DONT use email as your line of defense.

      Compromising somebodys email account can be relatively easy. Many web based email services DONT provide any real security either, and even if they offer SSL, its often not default and you are still relying on the weakness of the email password to protect the user ( Which, in turn has a reset mechanism most the time ).

      Email is one of the most insecure technologies, and there are good reasons why its a really bad idea to send information like credit card details over them. They’re usually transmitted between servers in plaintext, and equally often, between server and desktop client equally unencrypted, and all it takes is a wire sniff to get the reset url and trigger it. ( Don’t say I’m paranoid, because banks use SSL encryption for a good reason. How can you trust the 20-200 physical devices on the route have good intentions? )

      Once you get the reset data, you can reset the password, and then change your(their) email address, and have permanent control of their account ( it happens all the time ).

      And if they get your email account, all they have to do is have a browse through your inbox to find whom you’re subscribed with, and then easily reset the password ON ALL OF THEM

      So now, using the email based security, can lead to a propogative security weakness!. I’m sure thats beneficial!.

      The question being asked Is one I figure is almost impossible to do with software alone. This is why we have 2-factor authentication with hardware dongles that respond to challenges with their own unique private key signature, and only if you lose that are you screwed, and you then have to deal with a human ( oh no ) to get a new one.

      If you have forgotten your CWL password, you can retrieve it by using the password recovery system. You will be prompted to answer three security questions to verify your identity. After answering these questions, your password will be reset and you will be able to access your account.

      If you created a CWL account before June 21, 2005, you will need to recover your password by providing the answer to your secret question.

      How to Reset Your Password

      1. Go to CWL myAccount .
      2. Click Forgot your password? in the log in box.
      3. Follow the instructions outlined by the wizard.

      Secret Questions vs. Security Questions

      Secret Question Method

      The old “secret question” method (before June 21, 2005) uses a single question that people created – and then answered – when they first registered for CWL. When account holders reset their password with this method, they need to prove their identity by entering the answer to their secret question.

      But CWL account holders must remember the question they created, in addition to the answer. We modified CWL so that it does not display the secret question on the password reset page. We took this measure after we discovered that people were creating insecure questions, such as “What colour is the sky?”

      The New System

      The new system uses three security questions to verify your identity. People signing up for CWL for the first time, and people updating their accounts must provide the answers to these security questions.

      CWL will display your security questions and request that you answer them during the password reset process.

      To help verify a user’s identity in the case of a lost password, many Web applications use secret questions. By answering a pre-selected question, a user can demonstrate some personal knowledge of the account owner. A classic example is asking to provide a mother’s maiden name.

      Answering secret questions requires some knowledge of the user account, but secret questions break all the rules for strong passwords and have some significant weaknesses:

      ” An attacker can sometimes discover the information with little research;
      ” The answer to the question is usually a fact that will never change;
      ” Users reuse the same secret questions and answers across multiple Web sites;
      ” Someone close to the individual could know the answers to many of the questions;
      ” People rarely change their secret questions;
      ” The answers are often case-insensitive and usually contain a limited character set;
      ” Some questions have a limited number of answers; and
      ” With some questions, many people will have the same common answers.
      Secret questions usually ask for an obscure fact that hopefully only the account owner would know and supposedly would never forget. Many Web sites assume that the user providing the answer to the question is sufficient to identify the user. However, many secret questions ask for facts that anyone could discover with little research. To make things worse, if someone discovers this information, you cannot just change a fact from the past.

      Countless Web sites provide great tips on avoiding easily guessed passwords but then turn around and ask for a pet dog’s name or what city you were born in to answer a secret question.

      Even if an attacker knows nothing about the target user, the nature of secret questions limits the possible range of answers. For example, consider the questions and ranges of answers shown in Table 1. As the table shows, many secret questions have so few possible answers that a brute-force attack against these secret questions is completely feasible. To make matters worse, some Web sites fail to detect or prevent brute-force attacks against secret questions. For years, security experts have told people to avoid using pet names, family names, or dates in passwords, but secret questions go directly against that advice.

      The key to properly using secret questions is to understand that they should never be the equivalent of a password. You should only use them to initiate a password reset, to prevent anonymous attacks against the password reset process. Providing the answer to a secret question should never be enough to validate a user, but combined with other factors, such as having access to the user’s e-mail account, secret questions can be effective in helping to identify a user.

      The greatest threat with secret questions is that the answer is usually fixed and an attacker can sometimes discover this information through research. Because there is usually a limited set of answers to secret questions, they are also vulnerable to brute-force attacks. Finally, secret questions are usually ineffective against attacks by people close to the user. Individuals such as ex-spouses, once-close business associates, or wayward teenage children may have sufficient information and sufficient motivation to break into a user’s account.

      Designing Secret Questions

      The key to successful secret questions is to clearly define their role as just one part of the password retrieval process. They prevent password resets without some personal knowledge of the user. Design the system to be flexible with secret questions and answers, allowing users to disable secret questions or requiring a telephone call for final confirmation. Another effective technique for security-sensitive Web applications is to allow or require users to answer more than one secret question.

      Avoid allowing users to select their own questions, since most users are not qualified to select strong enough questions. Sites that allow users to select their own secret questions end up with insecure questions such as:

      ” What year were you born?
      ” What is your password?
      ” What is the capital of Georgia?

      Select effective questions, carefully considering the possible range of answers as well as the likelihood of common answers. Use unique questions, and try to avoid subjects that return short, one-word answers. Also, try to avoid questions that others commonly use, such as mother’s maiden name, pet name, or high school. But keep in mind that you should ask questions that users will always answer the same way.

      Establish a large list of questions, but provide a short, random list from which users can select their own questions. For users more concerned with security, you might want to provide an advanced option to select from a larger list of secret questions.

      If the user provides a predetermined number of incorrect answers to the security question, you might not want to return an error, but instead send the user an e-mail explaining that he or she answered incorrectly. This will prevent brute-force attacks against the secret question process and alert users to a possible attack against their accounts.

      Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like t758A! could be an account password or a complex Hello PIN. It isn’t the structure of a PIN (length, complexity) that makes it better than an online password, it’s how it works. First we need to distinguish between two types of passwords: local passwords are validated against the machine’s password store, whereas online passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.

      Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.

      PIN is tied to the device

      One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they’d have to steal your physical device too!

      Even you can’t use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

      PIN is local to the device

      An online password is transmitted to the server — it can be intercepted in transmission or stolen from a server. A PIN is local to the device — it isn’t transmitted anywhere and it isn’t stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. However, note that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section.

      For details on how Hello uses asymetric key pairs for authentication, see Windows Hello for Business.

      PIN is backed by hardware

      The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.

      User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.

      The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.

      PIN can be complex

      The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.

      What if someone steals the laptop or phone?

      To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammering protection locks the device. You can provide additional protection for laptops that don’t have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.

      Configure BitLocker without TPM

      Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:

      Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup

      In the policy option, select Allow BitLocker without a compatible TPM, and then click OK.

      Go to Control Panel > System and Security > BitLocker Drive Encryption and select the operating system drive to protect.

      Set account lockout threshold

      Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:

      Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold

      Set the number of invalid logon attempts to allow, and then click OK.

      Why do you need a PIN to use biometrics?

      Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you’re asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.

      If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn’t provide you the same level of protection as Hello.

      Since you are not often prompted to respond to the security questions you set up, you may occasionally forget your questions, or the answers you provided. The easiest way to handle this is when you are logged in to NetSuite. Click the Update Security Questions link in the Settings portlet. Select new questions, or provide answers to your existing questions. See Update Security Questions Link for details.

      If you are attempting to log in to NetSuite and are prompted to answer a security question but cannot remember the answer you gave, you might be required to reset your password or ask your account administrator to do so.

      If an account administrator resets your password, your previously saved security questions are erased and you must set up these questions and answers again. If you reset your own password, the existing security questions and answers are maintained.

      Remember your answers! You will not often be prompted to answer a security question, so it is easy to forget you set them up. If you do forget your answers, the following suggestions should help.

      To deal with forgotten security questions:

      You have six attempts when answering security questions during login. You have 20 attempts when answering security questions during password reset. Try the most likely answers you would have given.

      If the first attempt does not succeed, try again. Keep trying the most logical answers to your security questions.

      Case does not matter, so do not waste an attempt by changing some characters to a different case.

      If you cannot reset your own password, and cannot remember your answers to security questions:

      Update your security questions when you are already logged in to NetSuite.

      Ask your account administrator to reset your password. If your account administrator resets your password, your existing security questions and answers are erased. After your password is reset, you must set up new security questions and answers. If you or your account administrator cannot reset your password, your account administrator can contact Support for assistance.

      Ask your account administrator to designate your role as a two-factor authentication (2FA) required role. Roles that are designated as requiring 2FA are never asked security questions. For more information, see Logging In Using Two-Factor Authentication (2FA).