Use non-obvious answers to security questions
When creating online accounts have you ever been asked for answers to questions such as:
- What was your mum's maiden name?
- What was the first school you attended?
- What is your favourite colour?
These questions are often used to help prove your identity if you forget your password. Unfortunately though many of the answers we're encouraged to give are often trivial to guess or research - gifting hackers with an easy way to break into your account.
Consider how few answers there are to "What is your favourite colour?". Even if a first guess of "red" is wrong it probably wouldn't take too many tries to get it right. And does your public Facebook or LinkedIn profile answer the question "Which university did you attend?".
Strong passwords are worthless if hackers can just use this easy backdoor route.
The email account of the US Presidential Candidate Sarah Palin was hacked this way in 2008, & nude photos of Scarlett Johansson were accessed by this method too.
Instead, to protect yourself just follow this simple rule:
Never provide a direct answer to the question.
If any website asks you these types of questions you could either provide a completely irrelevant answer, or if that's not so easy to remember then answer the question but add something random after it, such as "bathtub". This something can be the same for each account to help you remember it.
Facebook fun? Or a scam?
Do you ever see those Facebook posts that get shared thousands of times -
- "What's your pornstar name? Type the name of your first pet and your favourite colour now!", or
- "Discover your Star Wars character name! Enter the name of your favourite teacher and the name of the street you grew up on."
A bit of harmless fun? Maybe - or maybe not.
Think the questions look familiar? That's because they're often the very same ones that websites use as security questions to reset your password - and you might just be giving the answers away for all to see!
Even fun questionnaires that are just between friends can give information away to fraudsters. When was the last time you reviewed your Facebook privacy settings?
Be careful with what you post on social media - and who can see your posts. Those fun viral posts may not always be quite so fun & innocent after all...
Many websites now use stronger password reset processes, such as emailing a password reset link or texting a security code to your phone, but there are still many sites where a simple question is all that's stopping an attacker from accessing your account.
Make sure you protect yourself from this type of attack!
Your mobile phone
Do you read and send email from your phone? And do you access Facebook, Twitter, and other accounts from it too?
Whilst it's convenient to log straight into these apps without needing a password, if your phone is ever stolen then the thief will also be able to access these too. To help avoid this it's a good idea to do the following:
Add a pin
The best defence is always to require a PIN when unlocking your phone (or fingerprint scanning or facial recognition instead - these are equally good). You can often make this less intrusive by only asking for your PIN if your phone has been left locked for 5 minutes or more.
Enable the "Find my phone" feature
Many modern phones come with a "Find My Phone" feature to help locate it if it's ever lost (for as long as it has power & a phone signal).
This feature also often allows you to remotely delete all data, preventing anyone from accessing whatever you have on your phone.
If you've lost your phone
If you ever lose your phone then you should try to find a computer and change the passwords for your different accounts straight away, just in case a thief does manage to access your phone. For more details see our Help! I've lost my phone page.
We have more in-depth advice to looking after your phone on our page here.
Avoid getting locked out
Whilst you're reviewing your security settings, you might also want to check any settings for proving your identity should you ever get locked out.
Most of us forget our passwords every now and then. Normally we can easily regain access by following a simple password reset process, but what if we forget the answers to the security question, or if we don’t have access to our email to get the password reset link?
A little forward planning can help here - see if your favourite websites offer these options:
1) Set up extra contact info:
- Adding contact details, such as a phone number or extra email address, can help you prove your identity if you ever find yourself locked out.
- Remember to review these regularly in case your details change.
2) Trusted Friends:
- Facebook also offers a "Trusted Contacts" feature, where you nominate 3 (or more) friends to prove your identity and help you regain access.
- Don’t worry, Facebook have checks in place to stop cheeky friends from abusing this & getting access to your account without your permission!
3) Recovery codes:
- Recovery codes are effectively a secondary password that you keep securely locked away (in the care of your solicitor for example) and use to reset your main password.
- You must make sure you look after this code and treat it at least as securely as you would any other password.
Take a look in the "Account" or "Security Settings" sections of your favourite websites – see what they recommend and if there’s anything you can set up today.
You might also be interested in what happens to our online accounts when we die. A little forward planning of your digital legacy now can save our loved ones a lot of hassle later on.
How else can I keep my accounts secure?
A good antivirus package on your PC can help prevent some viruses from silently stealing the passwords to our online accounts. You should also keep the software of your computer up to date too, and never open any email attachments that you're not expecting.
BeCyberSafe.com have a lot of practical information about how to protect your computer from viruses - it's definitely worth a read.
Enabling activity notifictions
Many websites have the ability to send you an alert if they ever detect any suspicious activity, such as if someone tries to log into your account from a new device or tries to change your password.
Knowing that someone is trying to access your account will serve as an immediate call to check all your security settings & to perhaps change your password. Search the help section for "activity notifications" on your favourite websites for how to enable this.