5/27/15
7:10 am

Better Answers to Security Questions

One of the weak spots of online security is the security question. These are questions like What was the name of your first pet? or Which high school did you attend? Using real or even fake answers to these questions will make it easier for your account to be hacked. However, there is a way to make this weak spot more secure.

Video Transcript (Click to Expand)
Hi, this is Gary with MacMost.com. On today's episode let's take a look at coming up with better answers to security questions to keep your online accounts more secure.

This is one of the tips I give in my book The Practical Guide to Mac Security. It's about using those security questions. You know, when you're asked for your mother's maiden name or the name of your first pet. Something like that. Lots of different web sites ask these questions. A lot of people make the mistake of actually putting real answers in there.

These answer can be easily guessed by somebody trying to break into your account. Even if they don't know you there are a lot of typical names of say the model of your first car or there are common last names or common pet names. Things like that. So you shouldn't use real answers. As a matter of fact you shouldn't even use fake answers like fake names or fake car models at all.

Instead you should use a much more secure technique that I teach in the book.

So here is one place that you may run into security questions. For your Apple ID, which you should keep very secure, you should almost certainly use Two-Step Verification. But not everybody can. If you don't have a mobile device on you at all times, for instance, then you may not want to use it.

In that case then you've got to use the Security Questions. The problem is these are very easy to guess the answers for. For instance, the name of your first pet. You can probably take the top one hundred pet names and you can guess more than half the people's answer to this question.

So where you may not be directly broken into using this, somebody trying to get into multiple Apple ID accounts might be able to get into a few of them by just guessing some good pet names, some good car model names, that kind of thing. So the solution is is to forget about using real answers. Don't even use fake answers like a name that wasn't the name of your first pet because that could just as easily be guessed as the real name.

Instead you want to use actual passwords here. Random generated strong passwords. That will make it virtually impossible for somebody to be able to break into your account using the security questions. You see Apple or any site that is asking for the security question answers doesn't really care about the actual answers. They don't care if it is a real pet name or not. They just want something there that you can repeat if you have to call in or enter it into a form online to prove that you are you.

So the most secure thing to do is to actually use a password there. A randomly generated password. For instance I can go to KeyChain Access like I showed you last week. I can create a new password item and I can use the little key button here to create something.

Let's do something that is letters and numbers just like this. I will copy it from here. It's going to automatically be filled in here. So I'm going to first jump over here and paste it, so now it is there as my answer and then I'm going to go back here and I'm going to name it. So I'm going to say Apple ID pet and Apple ID and now I can save it so I'll always have this recorded in here after I submit it if I need to remember it. I'm never going to memorize this.

I can go back to Keychain and I can look up in Passwords Apple ID pet right there and I can get access to it. There it is. I can also, if I wanted to and it is a lot easier, sometimes create a Secure Note. So after I've created all those I can do a New Secure Note Item and just enter what I want like pet and then that answer and then car and some other answer. You know whatever I've put in randomly generated. So I have very easy access to these all at once and you can see there are the answers if I had completed that.

So it is important to put that in a secure place maybe even write it down or print it out. I can copy here and paste in TextEdit and print it out and store it in my desk. Also I can save it something like LastPass or 1Password or some other password keeper as well.

Once you have entered all those in you know no one is ever going to in a million years be able to guess the name of your first pet is this. They just won't be able to figure it out because they will be looking for a real name and not a randomly generated password. That makes your Apple ID account that much more secure, at least as secure as it probably can be, using security questions rather than Two-Step Verification.

Comments: 15 Responses to “Better Answers to Security Questions”

    Mike Kracher
    5/28/15 @ 8:48 am

    I don’t see any security in these in-depth passwords if they are stored in my system. If I get hacked the first place any hacker would look is KeyChain to find all my passwords so what good is that? Please enlighten me.
    Thanks

      5/28/15 @ 8:58 am

      Getting hacked would require physical access to your Mac in most cases, plus guessing your password (a strong password, right?). But an easy-to-guess security question or password is vulnerable to mass attack from bot networks.

    David Smith
    5/28/15 @ 7:48 pm

    The way I see it, secondary password questions are a false sense of security.
    OK, so my passwords are secure with false alpha-numeric answers.
    But there is always the back-door of “click here if you forgot your password”.
    Can hackers just not hijack your email and have a new password delivered to their doorstep?
    So really, everything comes down to the password security of your email account . . . .correct? . . . . . or am I missing something.
    David

      5/28/15 @ 8:49 pm

      Yes, you are right in that protecting your email account is of the utmost importance. You’ve got to either use strong passwords or two-step authentication on those. I teach that in the book.
      In many cases, though, the account in question IS your email account, and the security questions are the only way to gain access if you are locked out. And you usually aren’t given an option to not use the security questions, so you have to make them secure as well.
      So you’ve got to do both in many cases. And watch out for email accounts that let you give an alternative email address for recovery purposes. iCloud lets you do this. If that backup alternative email is something like a Yahoo or Hotmail email address with a weak password, then that is your weak point.

    Pete S.
    5/29/15 @ 12:17 am

    I cannot figure out how to make these application PWs available on my IOS devices. I made entries in KEYCHAIN LOGIN and iCLOUD but still cannot see them on my iPad (IOS8.3). Did I miss something?

      5/29/15 @ 6:03 am

      Check your System Preferences, iCloud on your Mac and your Settings, iCloud on your iPad to make sure both are set to on for Keychain.

        Pete S.
        5/29/15 @ 6:44 am

        Thank you for your reply. That was the 1st thing I did when I could not see the new appl PWs. Checked again just now and they are KEYCHAIN on and to the same Apple ID. Where should I be seeing these on the iPad. I looked everywhere I could think of. All the website info is there but not those appl PWs.

          5/29/15 @ 6:51 am

          In the Settings app, in the iCloud category.

            Pete S.
            5/29/15 @ 7:39 pm

            So here’s the deal. If you create an APPLICATION PASSWORD (pen icon in keychain app) you cannot view its content on your IOS device. However, if you edit an existing entry (@ sign entry) you can fudge the content so you can view on your IOS device.

    Pete S.
    5/29/15 @ 7:26 am

    Thank you.. now all I have to do is remember my security code before it bricks me! arghh

      5/29/15 @ 7:28 am

      Write it down. Store it in a safe place. Never rely solely on your memory for something like that.

    Sylvie Chubbs
    5/30/15 @ 1:45 pm

    Very good and useful advice. I’m still wary of storing all my eggs in one basket by putting my passwords all in a keychain. I have an old fashioned address book where I physically write down my passwords, and security answers (which I’ll be updating now, following your advice) and keeping the book away from my laptop. I change all my p/words every 6 months.

      5/30/15 @ 1:50 pm

      The big problem with that is that your book can’t enter the passwords for you. So if you choose a nice strong password, like you should, then you have to look it up each time and painstakingly read it and type it. Either that or make your passwords shorter and weaker so they are easier to enter. It is far more likely that a break-in will occur from a massively distributed bot network that doesn’t care about your keychain, it just guesses your password. So a long strong random password stored in a keychain is better than a shorter, weaker password stored on paper.

    Robert
    5/30/15 @ 11:36 pm

    Hi Garry,

    Great video. My question is the same as Peter S. I have put my passwords into Secure Notes and nothing shows up on my iPad, I have also checked Keychain seeing (All ok) You said – In the Settings app, in the iCloud category.

    I think I have missed something?

    Regards,

    Robert

      5/31/15 @ 7:34 am

      If you have it turned on on both the Mac and the iPad, then Notes saved on the Mac should show up on the iPad. I’d check over all of your settings and then maybe visit the Genius Bar for a first-hand look if they still aren’t appearing. For me, they appear on all devices in seconds.

Comments Closed.