Don’t give away your secret answers

January 6, 2020 | Bob Covello

Note:This blog was written by an independent guest blogger.

I was watching an interview with an American Congressional member the other night, and I could not help but notice the person’s lack of cybersecurity awareness.

As a disclaimer, please note that this is not a piece promoting or denouncing any political party, or view. I do not discuss politics unless it relates to a cybersecurity matter.  In two previous posts, I have been misunderstood and thought to be promoting a position, but that isn't my intended purpose - cybersecurity awareness is.

In the interview, the Congressional member told an entertaining story about how a site was requesting the creation of a “Security Question”.  We have all been subject to these inane questions that require horribly predictable, and sometimes, very publicly known answers.  These questions are usually used for password recovery, or password reset functions.

In this particular case, the question that was chosen is “What is the name of your dog?”  What happened next is where I was mortified at the lack of awareness.  The conversation went something like this:

Congress member:  “So I put in the name of my dog, and the site said that the name was too short.”

Did you just perform a face-palm, as I did when I heard that?  Let’s review some of the more common short-names for dogs:

Rex,

Spot,

Hero,

Bud.

I am sure that you can come up with a few others.  The problem here is that this Congressional representative just narrowed the search criteria for anyone who wants to guess one of the security questions for a forgotten password.  There is no need to use long names in a brute-force attack when it has already been revealed that the dog has a short name.

We know for certain that the dog’s name is definitely NOT Alistair, or even Bunsen Honeydew.

This also indicates that this Congress person is not using a password manager.  One need not search too long to find many resources about how to generate and store random answers for those security questions.  As was reported during the “Celebgate” and “TheFappening” nude photo scandals, some celebrities were victims of social engineering that caused them to reveal their security answers.

One impressive lesson from this experience is that the web site that was requesting the security answer has made a bit of an effort to prevent easily-guessed, short names.  However, to the average person, what are they to do if their dog’s name is simply “Rex”?  Should they change their dog’s name to appease a web site?  Or, should they create a name to satisfy the question? How are they to remember that fake name?  These problems are what cause people to develop a strong disdain for security.

Moreover, why are sites still using these horrible pre-defined verification questions?  I am no fan of those questions, and even on sites that allow a person to enter a unique question, most folks will use very common questions, and answers. 

With all the other mechanisms out there, such as mobile authenticators, and multi-factor options, there must be a better way to authenticate a person.  In the meantime, please be careful with those security answers. 

Bob Covello

About the Author: Bob Covello, Guest Blogger

Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.

Read more posts from Bob Covello ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial