Tweak Answers to Security Questions for improved security
We are all used to answering Security questions for proving our identity for various purposes like Internet Banking, phone banking, accessing Organization Intranet etc. Internet Security also depends on the combination of passwords and security questions. Typically these security questions are used for resetting passwords, though it tries to offer another level of protection by sending the new password to your email.
Most of these so-called security questions are based on widely known facts or at least facts that can be gathered easily.
There is not much debate about Security questions being the weakest link and most websites provide an alternative by allowing us to choose or write our own security question. But it doesn’t always help as it taxes the individuals with forming questions based on facts only known to them. Finding such questions for which answers are known to no one else in my family, relations, or colleagues proved to be an ardent task for me. Still when we have an option of choosing or framing our security question, giving it a little more thought can go a long way in ensuring security.
Instead of trying to find an ideal security question, we can try to attack the answer. Giving incorrect answers – which we alone can know – seems to be one way out, but then with more such answers we would end up forgetting it ourselves. Exploring various such options just goes to prove that between security and ease of remembrance, the compromise is inevitable.
One possible solution is to tweak our answer. For example, instead of responding to the favorite color as Red, we can write as Reed, Reds or Ared. To make remembering this easier, we can choose some common techniques – like “repeating the vowels”, “adding a subscript or superscript”.
The subscript or superscript can be any of the alphabets or even phrases. Here again the necessity of able to remember should be considered. Trying to create them from most familiar facts like our parents, spouse or kids name or school would help. Of course, this approach can be used only where the security answer is also given by us and not compared with the real facts as already stored in a database. This is not to suggest that such tweaking would make the security question invincible – but it makes it a bit more difficult to crack.
Of course, this approach can be used only where the security answer is also given by us and not compared with the facts as available with them.
Even in Enterprises, security questions are typically employee number, Date of Birth and Date of Joining the Enterprise which are commonly known, especially for people at high levels where it even gets published in websites and Annual reports. Here tweaking is not an option as the comparison is with answers already available in their database. Enterprises can instead let the users form their own security questions or form questions which are more personal and less widely known.