Honesty is not The Best Policy for Password Resets

In light of yet another Twitter hack involving a Yahoo email password reset attack, you might think twice about the answers you provide for password reset questions.

Common password reset questions include the following:

What is your mother’s maiden name?
Where were you born?
What high school did you graduate from?

All of these and many others have answers that are probably public information. In other words, it isn’t hard to know the answer to your “secret question”. Let dishonesty be your secret weapon!!!

There is no reason you can’t make up the answers, the only trick is to remember your lies. OK, let me put this in a more socially acceptable manner. Make up a new life. Make up a story and remember it.

So, now your mother’s maiden name becomes “Smurf” or something equally silly. You graduated from “Basketcase HS”. I was born in “A Different Galaxy”.

Make up a story, it will help you to remember it. Pick a character in a book if you wish. As long as the information isn’t easily guessable then it will be very hard for an attacker to change your password by answering a ridiculously easy question.

If you choose your own questions then make sure the answer isn’t easy to guess or find on the web.

Randy Abrams
Director of Technical Education

Author , ESET

  • This is a really good observation and methodology, Randy. I’ve often thought that the info by phone etc we give to the banks and their ilk is a huge resource for identity theft.
    Suppose someone in the bank goes to the dark side, standard information you’ve passed over means they can easily get a wodge of official documents. Think of it? DOB, mother’s maiden name, place of birth, memorable place, memorable person, pet..the list goes on.

    This solution gets past all that. It’s extremely difficult to get a new driving licence with place of birth as “edge of the known universe” and mother’s maiden name as ‘Frederick the Frog’!!

    Like it.

  • soaklord

    Another trick I have seen is to have the real answers conform to password security. Born in Los Angeles? Why not 10s (one zero s) @ngeles? That way you only have to remember your replacement schema not a whole new place.

    • Randy Abrams

      This is also a good method. There are many ways to solve the problem and choosing one that works for you is the key.

  • Ahmed Ghanem

    Always used such methods, so when the question is what’s your mother’s maiden name ?, I answer the question below it which was for example what were your childhood hero ?! and the the answer is “Batman” or whatever! may be “wormman” haha, or better yet I can make the answer like another password just some random ASCII characters or hexadecimal characters so you know you have two passwords, one to access the account and the other is the answer to the lame question that’s not even related.

    BTW this ideas are now public so I’m gonna change methods :D

Follow us

Copyright © 2017 ESET, All Rights Reserved.