By asking better password reset questions, you'll keep passwords more secure I just love how many Web sites take my complex, hard-to-guess password and make it as easy to crack as guessing my favorite color or the city of my birth. It seems nearly every Web site comes with user-accessible, self-service, password reset questions, and nearly all of those same sites make resetting or obtaining my password magnitude By asking better password reset questions, you’ll keep passwords more secureI just love how many Web sites take my complex, hard-to-guess password and make it as easy to crack as guessing my favorite color or the city of my birth. It seems nearly every Web site comes with user-accessible, self-service, password reset questions, and nearly all of those same sites make resetting or obtaining my password magnitudes easier than actually knowing my correct password. Thanks. I can understand why Web sites want a user-based, self-service, password reset feature. Users who forget or mistype their passwords comprise one of the most frequent support requests. I’ve read many studies that place the cost of each help desk password reset assistance call at $60 to $90. I don’t mind the self-service part; it’s the incredible weakening of security that bothers me. Most Web sites put forth a handful or two of weak questions that you must use. The Web site administrators think that the questions are personal enough that only the person who answered them would know the correct answers. The problem is that the questions are often information that is known by lots of people, or they contain information that can be found by searching on the Internet. For example, one common question is, “Your birthplace city?” I mean, how many people know that besides the account holder? Well, how about that person’s close friends, family members, spouse, old boyfriend or girlfriend, and anyone who has ever viewed any credit card application you’ve ever filled out? And let’s not mention all the databases you can search online to find out the birthplace of any person. How about being asked to fill in your mother’s maiden name? Again, you can point to the same suspects as in the previous question, but now add genealogy databases to the mix. Another favorite weak question is, “Your favorite pet’s name?” First off, dogs are the most popular pets, and you’d be surprised about how common most dogs’ names are. Mark Burnett’s book on passwords, Perfect Passwords, has a list of the most common dog names. I was surprised to see my own dog’s name, Abby, on the list. Mark’s book also lists the most common colors, cities (that is, birthplace cities), and hobbies. If a Web site under your control has one of these password reset features that use self-service, weak security questions, make sure the questions are truly capable of being known by only one person. Assume that the person’s closest loved one ends up being their worst enemy and is motivated to break into their account. If you want to be assured of the strength of your question, or at least give the user a fighting chance of staying secure, let them choose and input the security questions. The self-service password feature page should educate the user in how to create truly secure security questions. Suggest some good examples. If your Web site’s password reset self-service feature doesn’t allow custom questions, or can’t be recoded and can use only precanned, weak questions, try to require multiple successful answers to multiple questions. The Web sites I see using this type of query often ask the user to select 5 to 10 questions to which they can input the answers. And when using the feature, the user must successfully answer 2 to 4 of the questions. This makes it a little harder for an unauthorized person to break into the account. Of course, any password resets or changes should be sent to the e-mail address on record asking for confirmation before being committed. If an attacker has access to your e-mail account and knows the answers to multiple or custom security questions, your issues go well beyond the things a columnist can help you with. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe