Every once in a while I question security controls, and the latest one I questioned was security questions.
I’m talking about those questions that financial sites like banking and credit card sites ask you when you log in. Not the ones used to reset your password (although this post applies to them too).
No, this won’t be a rant about the stupid questions that sites give you to chose from, such as your mother’s maiden name or what is your favorite color. I gave up questioning those issues long ago.
I gave up complaining about them because I never provide common sense answers to security questions, so who cares. The question could be, What is 1+1?. It’s the answer that’s important.
When asked about my favorite color, I’ll enter a passphrase consisting of 10 words of my favorite song, with noisy symbols and capital letters thrown in.
When asked about the name of the first girl I kissed, I enter my best man’s name joined with his dog’s name. And so on. Sure, you have to store all those answers in a password safe, but that’s the price of security. I can’t keep 25 passwords in my head anyway.
What I questioned recently as I logged into my bank was whether the capital letters I supplied in my security question answers were effective. So I typed the capital letters as lowercase letters, and guess what? My answer was still accepted.
I logged out and then tested whether the special characters and numbers in my answers were effective. Surprise, they were required, but capital letters were not. I suppose that most people don’t write down the answers to their security questions because they are real answers–they just remember them–which is the whole point.
But they probably forget whether they typed the address of the first house they lived in as a kid as “123 Main Street” or “123 main street”. So to make it easy, the system converts all capital letters to lowercase when the system compares the user’s answer to the answer stored on file.
Otherwise, these companies would be getting a lot more phone calls about users that can’t log in.
But that weakens security! And makes it easier for someone to hack you.
I also tested the password that I have to enter after the security answer, and it must be perfect, including capital letters, lowercase letters, numbers, and symbols. No problems there.
People need to treat their security answers just like passwords, otherwise, what’s the point of using them?
I suggest you test those sites that require a security answer and password the next time you log in. And come back and let me know what you find.
But remember, you have to have at least one capital letter in your answer already.
Oh, you don’t use capital letters in your answers? Never mind then.
Next!
ITauditSecurity 