- Southwest Airlines passengers receive free Nintendo Switch consoles and Mario Maker 2 Wednesday 9:10 PM
- The Deplorable Choir drops diss track aimed at 4 congresswomen from Trump’s racist tweets Wednesday 8:09 PM
- Florida city is pushing homeless people out by playing ‘Baby Shark’ on a loop Wednesday 7:27 PM
- A ‘Gossip Girl’ reboot is coming to HBO Max–and fans are not happy with the casting details Wednesday 6:44 PM
- Beto can’t leverage his slave owner ancestry to gain Black voters’ trust Wednesday 5:51 PM
- Oakland to become the third U.S. city to ban facial recognition Wednesday 5:50 PM
- ‘Release the Snyder Cut’ billboards pop up outside of San Diego Comic-Con Wednesday 5:24 PM
- Iggy Azalea and Peppa Pig have an epic Twitter fight Wednesday 4:39 PM
- Should you be concerned about your privacy on FaceApp? Wednesday 4:15 PM
- Google ‘terminates’ Dragonfly, its censored search engine for China Wednesday 3:33 PM
- AOC rips Facebook during Libra House hearing Wednesday 3:14 PM
- The time traveler conversation meme finds its way to TikTok Wednesday 2:52 PM
- Grimes claims she had an ‘experimental’ eye surgery and practices sword fighting Wednesday 2:42 PM
- 70 Border Patrol employees under investigation for posts in secret Facebook group Wednesday 1:45 PM
- Republican’s Operation Safe Return criticized as cover for mass deporation Wednesday 1:42 PM
Treat your security questions like a riddle only you can decipher.
“A recent investigation by Yahoo … has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” the company wrote in a statement. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
Let’s say you’re the owner of one of those half-billion Yahoo accounts. You’ve changed your password and, since you were smart, you didn’t repeat that same password across other online accounts, which would put those accounts at risk as well. (If you did use that same password for other accounts, let this be a lesson that you need to STOP DOING THAT).
That’s not the only less here. You should also update your security questions, but doing that poses a problem: Your password may change, but your mother’s maiden name, for example, is forever.
A much better way to think about security questions is to treat them like a riddle to which only you know the answer, but has no basis in reality.
The fundamental weakness in the security questions typically used for password recovery is that, like Social Security numbers, they’re usually permanent. They are often easy to for a dedicated attacker to guess. When a hacker compromised the personal email account of erstwhile Alaska Gov. Sarah Palin—a Yahoo account, by the way—all it took was guessing the answer to her security question, which was about where she met her spouse. The answer, as it happened, could be located on Palin’s Wikipedia page.
The problem is that people treat security question like things that should be answered with the objective truth. A much better way to think about security questions is to treat them like a riddle to which only you know the answer, but has no basis in reality.
A good way to do this is to set up a system that applies arbitrary information to your security question answers.
So, say you use one that’s entirely based on The Simpsons. If a question asks where you met your spouse, set the answer as “Springfield High School.” If a question asks for the name of the street where you grew up, set the answer as “Evergreen Terrace.” If it asks for the name of your first pet, say “Santa’s Little Helper.” It works because, honestly, you probably have a better grasp on Simpsons trivia—or whatever nerdom you subscribe to—than you do on the actual details of your own life.
Or just set all your answers to different types of tacos, because, if you know one thing in this crazy, mixed-up word, it’s that tacos are delicious.
Whatever system you pick, make sure that it’s easy to remember. In that case, even if you forget the specific answers you set to each individual question for each individual site, you should still have a pretty good idea of what your answer were.
If you do all that, you’re just ensured all of your online accounts are just that much more secure.
Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.