The Practical Guide To Mac Security: Part 5, Security Questions

Check out the rest of the videos in this special course: The Practical Guide To Mac Security.

Some sites and services still use security questions. If you are forced to provide answers to these, you should never use real answers.

You can also watch this video at YouTube (but with ads).

Video Transcript: Hi, this is Gary with MacMost.com. This is Part 5 of my course, The Practical Guide to Mac Security. This course is brought to you for free thanks to my great Patreon supporters. Go to MacMost.com/patreon for more information.
So Security Questions are an old technique used on accounts that hopefully you don't see too much anymore. You see them often enough that we should talk about them because they actually don't make your account more secure. They make it less secure. But they do serve a purpose. So, for instance, the security question may be something like What's your mother's maiden name or What is your pet's name. You may get asked this. The ides is that if you lose your password you can get back into your account by answering one of these security questions either online or perhaps with a phone call to the service trying to reestablish contact with your account. They'll ask you one of these questions and you respond with whatever it is that you put down and they know that it's you. 
But in fact this makes things less secure. It's basically creating a backdoor. The first problem is, of course, these are easy to guess. I mean how many pet names are there. Probably with only a hundred or two hundred pet names you can have all of the different pet names for 90% of the pets in the world. The same thing with street names and they are also easy to find. Like if somebody wants to break into your account they can probably find your mother's maiden name pretty easily. Or even the street you grew up on pretty easily just by looking online at various resources. They are also difficult to change. If you know that your information has been compromised, somebody now knows the name of the street you grew up on or the make of your first car, how do you change that? That's part of your history. If you change it to something else then it's no longer true. Also consider it's less that one factor. Instead of your password all they need is this information about you. This information about you is much easier to get than your password. So instead of increasing the number of factors it's actually keeping the number of factors at one. You either need your password or the answer to one of the security questions. Since the security questions are easier to guess and to find then it actually makes things weaker. 
So here are some of the security questions you may see. I'm sure you've all seen everyone of these and there are probably a dozen more that are commonly asked. It doesn't really matter how unusual they are to get, they're just not very secure. Some typical answers would just be a last name and really with just a few hundred last names you've covered most last names in the world. The make of cars is even less with just a few dozen you've covered most people's answers. Streets growing up on, most people have grown up with streets that are only maybe in a list of several hundred names. Pets names are even weaker than that. There are some popular pet names used throughout the world and you may think that yours is unusual but it's still going to be easier to guess your pet's name than, say, a password. If you've ever posted anything to social media then, of course, the pets name is probably out there as well as a lot of this other information. 
So ideally you don't want to use security questions. But you usually don't have a choice. When a site has these you have to fill them out. You have to provide an answer.  So what do you do. Well, basically you lie. You create answers that are nonsensical. I like to use numbers because a lot of times you end of talking to somebody on the phone. They'll say, well confirm it's you. What's your mother's maiden name and I could very easily read out a list of numbers to them. They can understand those numbers whereas a password with letters and numbers sometimes it could be hard for the other person to hear exactly what you're saying. But you can add a few letters in there if you like. Maybe a dash. That kind of thing. The important thing to do is whatever you create make it randomly generated so maybe using a Password Manager's password generator sometimes you could create a random number. You can then record these in  your Password Manager or write them down in a secure document that you keep maybe with other secure information. So let's say you have an email account. It's going to want some of the security questions. It prompts you for them. You come up with these random odd answers that nobody is going to be able to guess. You make sure you write those down in case you need them. You have somewhere you can go and read off this number to whomever it is you're talking to on the phone. So they get the right answer and I'm sure they won't think this is strange because a lot of people like me already do this. So they're used to seeing random answers like this in place of real ones.

Comments: 9 Responses to “The Practical Guide To Mac Security: Part 5, Security Questions”

Paul Reynolds

3 years ago

Thanks Gary, how about I use the same number combination no matter the question?

Gary Rosenzweig

Paul: Less secure obviously, and you have to look it up anyway, so why not separate ones?

poppy fogarty

Hi Garry
Re passwords: I already have used passwords related to name, make of car etc.. Can you change these, or will alternative gobbledigook numbers and letters allow me to get into
a site that requires answers.
It's all a bit confusing.
Thanks for your help

Poppy: Yes, of course you can change these. And you SHOULD. Just go to whatever site you mean, look for a way to change your answers, and set them up with numbers or something else like I propose in the video.

Alison

Do you have ay thoughts on the use of a VPN? I'm very new to security of my Mac products. Thank you for your help.

Alison: VPN will be addressed later in the course.

Hubert

Hi Gary. What about this for PW security. At each log-in click on ‘forgot password’. The new one to use will be sent automatically to your email address. Probably only practical for websites one only used occasionally?

Hubert: Very inconvenient and tine-consuming, yes. Rarely should a site ever send you a new password via email today. More likely they will send you a password reset link. You'd click that link and then have to create a new password.

Bill

So many discussions on Social Media are phishing attempts. Looking at how often the list of common Security Questions match these discussions is alarming. these threads need to be stopped.

Comments Closed.

The Practical Guide To Mac Security: Part 5, Security Questions

Comments: 9 Responses to “The Practical Guide To Mac Security: Part 5, Security Questions”

Welcome to MacMost

Free Weekly Newsletter

MacMost Online Courses

Keyboard Shortcuts PDF

Connect with MacMost

MacMost Sections

Popular Tutorials

Information