|Practical Computer Advice
from Martin Kadansky
|Volume 9 Issue 7
|Hackers Can Break Into Your Online Accounts *Without* Guessing Your Password! Use This Simple Tip to Protect Your Email and Other Accounts
To read this issue on my web site, please visit:
The problem: The answers to your Security Questions are probably not secure
You're on a website for your email, or a shopping or cloud storage account. You're trying to sign in, but you can't remember the right password. You click the "Forgot your password?" link, and type in the answer to a "secret question" or two (which you provided when you created the account long ago). Then you can set a new account password, and you're in!
Unfortunately, a thief or hacker can break into your account in exactly the same way. All they typically need is your email address plus enough information about you to answer your secret question, and then they can set a new password on your account. This not only gets them into your account (without having to steal or guess your password), it also locks you out!
In other words, depending on the account, the answers to your Security Questions can act like alternate passwords, giving a hacker a much easier way to break in than trying to guess or steal your regular password. And the bad news is that hackers may be able to find many of your answers online.
The simple solution: "Fictionalize" the answers to your Security Questions
How can you prevent this particular vulnerability from being exploited?
And, just like your regular passwords:
- Go to the website for each of your existing online accounts and sign in. Start with your email accounts, they're the most important. Find your Security Questions (look under Settings or Security), and then change the answers from correct ones to fictional ones. That's right! Make up wrong or silly or ridiculous answers.
- From now on, in every new account you set up, don't answer the Security Questions correctly. Instead, make up bogus or gibberish answers.
- Use a unique answer for every question and every account. Don't repeat yourself!
- You will not remember them all, so keep track of them just as you would your regular passwords: Put them on your password chart.
Keep it simple: One-word answers, the sillier and more unrelated, the better
- Where did you go to college? Instead of "Columbia" enter "tortellini"
- What's your maternal grandfather's first name? Instead of "John" enter "jabberwocky"
- What is your dream job? radiator
- What was your first car (make and model)? kleenex
- Where did you go on your honeymoon? mazda
- What city were you born in? sldkfjgh47
Some online accounts don't use Security Questions at all, so this technique doesn't work everywhere.
How do hackers find my answers?
You might think that the answers to your particular security questions could never be found online, but you would be surprised how much information is available about you. You may have posted some of it a long time ago (and no longer remember), and your friends and colleagues may have posted things about you without your knowing.
You might also think that some Security Questions are simply not vulnerable to research, like your favorite color or type of food. That may be true, but you might be surprised how ordinary your answers to such questions may be (blue? Italian?), and how easily they can be guessed.
Some of your personal information (your address, phone, birthdate, Social Security number, parents, children, roommates, medical information, etc.) is already easily found online. Google your name (or "buy social security numbers") and you'll see.
And then there's "social media." Facebook, Twitter, and LinkedIn are just some of the most popular sites. Your own profiles, articles you've written (or that others have written about you or your family or company), photos of you with family or at events you enjoy posted by you (or by other people), and class reunion records are just the beginning of online places that reveal information about you.
The key to this "fictionalization" technique is not to worry about the information about you that's out there on the internet. Instead, by removing it from your security answers and replacing it with nonsense, you can render it useless so it can't be used against you in this particular way.
Hacking into your accounts can be like a falling row of dominoes
One clever approach a hacker can take is to first break into your email account, and then use it to help them break into your other online accounts.
To break into many email accounts, often all a hacker needs is your email address and some information to help them answer one or two of your security questions. If that works, they can change your email password and gain access to your account.
Now they can break into many other online accounts you use, because when you click "Forgot my password":
Obviously all this hacking has to happen pretty quickly, since someone else changing your email password means that you will get an error when you try to send or receive any email on your computer, smartphone, and tablet. Once you see there's a problem, you'll probably eventually figure out what happened.
- Many websites simply ask for your email address, and then send you an email message containing either a link to reset password or a temporary verification code or PIN that expires in a few minutes or hours. Since the hacker has access to your email account, they then use that message to gain access to those additional accounts.
- Some are even simpler: After entering your email address, they prompt you right then and to answer a Security Question or two, then immediately prompt you to change your password.
In an unscientific survey of a number of popular online email and shopping and storage sites I conducted (which I won't list for security reasons), I found that most fell into one of the two categories above.
The good news is that the bank and credit card and investment/retirement sites I tested required more extensive information, including your SSN, account number, birthdate, etc. The bad news is that a determined and resourceful thief could probably answer those questions as well.
Where to go from here
- Go to each of your accounts (email first!), find your Security Questions, and fictionalize your answers. Add those silly answers to your password chart.
- Try the hacker's approach: Go to each of your accounts' web sites, sign out, click "Forgot my password" and then see what information and steps are required to get to the password reset page (without actually changing your password). For some accounts it won't take much. Don't overdo it and get locked out of your account.
- Read this frightening account of hacking, scroll down about 40% to see his additional advice on how to protect yourself: http://www.wired.com/2012/11/ff-mat-honan-password-hacker/all - "Kill the Password: Why a String of Characters Can't Protect Us Anymore"
- Review the personal information that you reveal in your Facebook, LinkedIn, and other accounts.
- Find more sources of online information than you can imagine - Google: popular social media
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to
and I'll add you to the list, or visit
Did you miss a previous issue? You can find it in my newsletter archive:
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2015 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.