One of the weak spots of online security is the security question. These are questions like What was the name of your first pet? or Which high school did you attend? Using real or even fake answers to these questions will make it easier for your account to be hacked. However, there is a way to make this weak spot more secure.
Comments: 15 Responses to “Better Answers to Security Questions”
Mike Kracher
10 years ago
I don't see any security in these in-depth passwords if they are stored in my system. If I get hacked the first place any hacker would look is KeyChain to find all my passwords so what good is that? Please enlighten me.
Thanks
Getting hacked would require physical access to your Mac in most cases, plus guessing your password (a strong password, right?). But an easy-to-guess security question or password is vulnerable to mass attack from bot networks.
David Smith
10 years ago
The way I see it, secondary password questions are a false sense of security.
OK, so my passwords are secure with false alpha-numeric answers.
But there is always the back-door of "click here if you forgot your password".
Can hackers just not hijack your email and have a new password delivered to their doorstep?
So really, everything comes down to the password security of your email account . . . .correct? . . . . . or am I missing something.
David
Yes, you are right in that protecting your email account is of the utmost importance. You've got to either use strong passwords or two-step authentication on those. I teach that in the book.
In many cases, though, the account in question IS your email account, and the security questions are the only way to gain access if you are locked out. And you usually aren't given an option to not use the security questions, so you have to make them secure as well.
So you've got to do both in many cases. And watch out for email accounts that let you give an alternative email address for recovery purposes. iCloud lets you do this. If that backup alternative email is something like a Yahoo or Hotmail email address with a weak password, then that is your weak point.
Pete S.
10 years ago
I cannot figure out how to make these application PWs available on my IOS devices. I made entries in KEYCHAIN LOGIN and iCLOUD but still cannot see them on my iPad (IOS8.3). Did I miss something?
Check your System Preferences, iCloud on your Mac and your Settings, iCloud on your iPad to make sure both are set to on for Keychain.
Pete S.
10 years ago
Thank you for your reply. That was the 1st thing I did when I could not see the new appl PWs. Checked again just now and they are KEYCHAIN on and to the same Apple ID. Where should I be seeing these on the iPad. I looked everywhere I could think of. All the website info is there but not those appl PWs.
So here's the deal. If you create an APPLICATION PASSWORD (pen icon in keychain app) you cannot view its content on your IOS device. However, if you edit an existing entry (@ sign entry) you can fudge the content so you can view on your IOS device.
Pete S.
10 years ago
Thank you.. now all I have to do is remember my security code before it bricks me! arghh
Write it down. Store it in a safe place. Never rely solely on your memory for something like that.
Sylvie Chubbs
10 years ago
Very good and useful advice. I'm still wary of storing all my eggs in one basket by putting my passwords all in a keychain. I have an old fashioned address book where I physically write down my passwords, and security answers (which I'll be updating now, following your advice) and keeping the book away from my laptop. I change all my p/words every 6 months.
The big problem with that is that your book can't enter the passwords for you. So if you choose a nice strong password, like you should, then you have to look it up each time and painstakingly read it and type it. Either that or make your passwords shorter and weaker so they are easier to enter. It is far more likely that a break-in will occur from a massively distributed bot network that doesn't care about your keychain, it just guesses your password. So a long strong random password stored in a keychain is better than a shorter, weaker password stored on paper.
Robert
10 years ago
Hi Garry,
Great video. My question is the same as Peter S. I have put my passwords into Secure Notes and nothing shows up on my iPad, I have also checked Keychain seeing (All ok) You said - In the Settings app, in the iCloud category.
If you have it turned on on both the Mac and the iPad, then Notes saved on the Mac should show up on the iPad. I'd check over all of your settings and then maybe visit the Genius Bar for a first-hand look if they still aren't appearing. For me, they appear on all devices in seconds.
I don't see any security in these in-depth passwords if they are stored in my system. If I get hacked the first place any hacker would look is KeyChain to find all my passwords so what good is that? Please enlighten me.
Thanks
Getting hacked would require physical access to your Mac in most cases, plus guessing your password (a strong password, right?). But an easy-to-guess security question or password is vulnerable to mass attack from bot networks.
The way I see it, secondary password questions are a false sense of security.
OK, so my passwords are secure with false alpha-numeric answers.
But there is always the back-door of "click here if you forgot your password".
Can hackers just not hijack your email and have a new password delivered to their doorstep?
So really, everything comes down to the password security of your email account . . . .correct? . . . . . or am I missing something.
David
Yes, you are right in that protecting your email account is of the utmost importance. You've got to either use strong passwords or two-step authentication on those. I teach that in the book.
In many cases, though, the account in question IS your email account, and the security questions are the only way to gain access if you are locked out. And you usually aren't given an option to not use the security questions, so you have to make them secure as well.
So you've got to do both in many cases. And watch out for email accounts that let you give an alternative email address for recovery purposes. iCloud lets you do this. If that backup alternative email is something like a Yahoo or Hotmail email address with a weak password, then that is your weak point.
I cannot figure out how to make these application PWs available on my IOS devices. I made entries in KEYCHAIN LOGIN and iCLOUD but still cannot see them on my iPad (IOS8.3). Did I miss something?
Check your System Preferences, iCloud on your Mac and your Settings, iCloud on your iPad to make sure both are set to on for Keychain.
Thank you for your reply. That was the 1st thing I did when I could not see the new appl PWs. Checked again just now and they are KEYCHAIN on and to the same Apple ID. Where should I be seeing these on the iPad. I looked everywhere I could think of. All the website info is there but not those appl PWs.
In the Settings app, in the iCloud category.
So here's the deal. If you create an APPLICATION PASSWORD (pen icon in keychain app) you cannot view its content on your IOS device. However, if you edit an existing entry (@ sign entry) you can fudge the content so you can view on your IOS device.
Thank you.. now all I have to do is remember my security code before it bricks me! arghh
Write it down. Store it in a safe place. Never rely solely on your memory for something like that.
Very good and useful advice. I'm still wary of storing all my eggs in one basket by putting my passwords all in a keychain. I have an old fashioned address book where I physically write down my passwords, and security answers (which I'll be updating now, following your advice) and keeping the book away from my laptop. I change all my p/words every 6 months.
The big problem with that is that your book can't enter the passwords for you. So if you choose a nice strong password, like you should, then you have to look it up each time and painstakingly read it and type it. Either that or make your passwords shorter and weaker so they are easier to enter. It is far more likely that a break-in will occur from a massively distributed bot network that doesn't care about your keychain, it just guesses your password. So a long strong random password stored in a keychain is better than a shorter, weaker password stored on paper.
Hi Garry,
Great video. My question is the same as Peter S. I have put my passwords into Secure Notes and nothing shows up on my iPad, I have also checked Keychain seeing (All ok) You said - In the Settings app, in the iCloud category.
I think I have missed something?
Regards,
Robert
If you have it turned on on both the Mac and the iPad, then Notes saved on the Mac should show up on the iPad. I'd check over all of your settings and then maybe visit the Genius Bar for a first-hand look if they still aren't appearing. For me, they appear on all devices in seconds.