Password Prompts

Posted on August 13, 2008

It’s been drilled into us for ages about password uniqueness and strength. Some sites now have an indicator to show how good your password is while creating it. Some have gone so far as to require not just a minimum length but also a minimum number of variables, like at least three of the four main possibilities (number, symbol, upper case, lower case). So it would take something like Password1 to satisfy the minimum strength requirements.

We all know well the dangers of reusing passwords. But have you thought about the dangers of the information used to reset passwords? Many sites use a standard set of questions to prompt you — your mother’s maiden name, your father’s middle name, favorite color, city of birth, what brand your first car was, etc. And you probably have a standard set of responses, making them easy to remember but not very secure. Some of that information can even be found from public records. And some of it can be guessed. First car could easily be Ford or Chevy with their historic market share. Favorite color is often red or blue.

So, here’s a hint on dealing with those questions when first asked to fill out the answers on setting up your account. If they ask your mother’s maiden name, tell them it is 34EtR#@ or some such. They don’t really care about her name, just that you can give back the original answer you gave when you setup the account. So use a strong password that you have written down and kept in a secure location or use a naming scheme that you can remember but no one would ever guess. Don’t give real answers. Never put down a color for your favorite color.

Most people don’t think of answering that way as we think they want the truth from us and we are determined to give it to them.

Wrong thing to do…this approach may result in identity theft.