Kansas State University

search

IT News

Choosing security questions/answers; lessons learned from Palin e-mail hack and password security

The compromise of Alaska Governor Sarah Palin’s Yahoo! e-mail account last September offers many lessons about security, including the risk of using a free commodity e-mail service for conducting official business. Likewise, be cautious about what you store in your e-mail — the hacker posted some of Palin’s e-mail messages, photos, and her address book on the Internet. However, the focus of this article stems from the technique used by the hacker (purported to be a student from the University of Tennessee) to access Palin’s e-mail.

The perpetrator was able to change Palin’s password by answering three security questions — her date of birth, home zip code, and where she met her husband — answers easily discovered through simple Google searches. Challenge-response systems like these are common security features used in self-service websites for resetting a forgotten password, like the site used by the hacker to reset Palin’s Yahoo! password and access her e-mail. Even K-State’s eID Profile system uses a challenge-response security question to facilitate self-service password resets.

Challenge-response systems may also be used in conjunction with a password for an added layer of security. If, for example, you try to log in to your online banking site from a different computer, you may be presented with a security question to validate your identity before you can access your account.

Therefore, one needs to choose security questions and answers with the same care and diligence as choosing a good password. Here are some guidelines:

  • Use questions to which only you know the answer.
  • Choose answers that are very hard to guess.
  • Don’t use “yes/no” questions or ones that have a limited number of answers, like your favorite color.
  • Beware of “what is your favorite…” questions since your favorite may change over time and you therefore may not remember the correct answer.
  • Don’t use questions that can be answered by someone using Google or gleaning information from your Facebook or MySpace pages.
  • Some security practitioners recommend providing a false answer, but that makes it harder to remember so that is not advised.
  • As with your password, do not share your security questions or answers with anyone.

If you have not followed these guidelines in setting your eID password-reset question/answer, please update it in K-State’s eID profile system (sign in to eProfile, select “Password settings”, and update the “Password reset options”).

See “Tips for Avoiding Bad Authentication Challenge Questions” and “Good Security Questions” for more information.

Share this post:

About Harvard Townsend (harv@ksu.edu)

Chief Information Security Officer