Passwords. We all use them every single day.
Studies consistently show that people become lazy when it comes to creating a password, with the top spots going to things like “password” and “123456”. But with a little education, you can bring your employees around to changing their habits and creating a more encrypted password choice.
But what about security questions?
Security questions are used on almost every site in which you login to an account. They are used for the “just in case” you forget your password, and have to retrieve it by some other means.
In most cases they provide you with a list of security questions to choose from, with most of them asking fairly standard things. Top 10 lists put these at the top:
· What is your mother’s maiden name?
· Who is your favorite author?
· Who is your favorite actor?
· What is your favorite movie?
· What is your favorite book?
· What was your favorite pet’s name?
· Who was your childhood friend?
You’ve probably used one or more of these yourself, over and over again. Yet how secure are they? All are simple questions that can easily be answered with a little bit of research, something a detailed profile on Facebook could make readily available with five minutes of browsing through your page.
While these questions make it relatively easy for an external hacker to gain access to an account, studies also show that its not always an external hacker that will be your biggest threat. In some cases, it may be an internal risk. If a co-worker wants to access company data through someone else’s account, what better way than to do so then through an account from someone they know? And who’s going to question a co-worker when you stand around the water cooler and ask, “what’s your favorite movie”? Its just idle chit chat that we talk about all the time.
So what makes a good security question? A good security question typically will have the following characteristics:
Be safe from guessing or research
This is the most important characteristic of a great security question. It should be something that cannot be easily found out by visiting a social media profile page, or that someone could guess simply by being around a person for a short amount of time. After all, walking your dog and calling him by name can release information to everyone at the dog park.
Won’t change over time
If a security question is vague and can have many meanings, it can be easily forgotten as time goes by. Avoid questions that ask for your “favorite” thing, such as “what is your favorite food?” And avoid questions that can fluctuate as you age, change and grow, “where do you want to retire?”
Be memorable to you
We all have things we talk about and share because it’s a part of our culture. Which is what most security questions are designed around. I’m sure you’ve had conversations with friends, even co-workers, over your very first crush in school, or the first person you ever kissed. But what about the second?
These things are memorable to you, yet they aren’t something we share on a regular basis. They are part of your past, yet don’t come up in regular conversation.
There is one other factor that should be part of online security. When someone forgets a password, having them login with a security question is an important step, but it should always be a part of a two step process. The second half of authentication should be using a code that is sent via email or text to the information used to set up the account. This will further ensure that only the correct person will be gaining access to the system.