Password Reset – don’t use obvious memorable answers
When creating online accounts have you ever been asked for answers to questions such as:
- What was your mum's maiden name?
- What was the first school you attended?
- What is your favourite colour?
These questions are often used to help prove your identity if you forget your password. Unfortunately though many of the answers we're encouraged to give are often trivial to guess or research - gifting hackers with an easy way to break into your account.
Consider how few answers there are to "What is your favourite colour?". Even if a first guess of "red" is wrong it probably wouldn't take too many tries to get it right. And does your public Facebook or LinkedIn profile answer the question "Which university did you attend?".
Strong passwords are worthless if hackers can just use this easy backdoor route.
The email account of the US Presidential Candidate Sarah Palin was hacked this way in 2008, & nude photos of Scarlett Johansson were accessed by this method too.
Instead, to protect yourself just follow this simple rule:
Never provide a direct answer to the question.
If a website ever asks you to set these types of questions you could either provide a completely irelevant answer, or if that's not so easy to remember then answer the question but add something random after it, such as "bathtub". This something can be the same for each account to help you remember it.
Facebook fun? Or a scam?
Do you ever see those Facebook posts that get shared thousands of times -
- "What's your pornstar name? Type the name of your first pet and your favourite colour now!", or
- "Discover your Star Wars character name! Enter the name of your favourite teacher and the name of the street you grew up on."
A bit of harmless fun? Maybe - or maybe not.
Think the questions look familiar? That's because they're often the very same ones that websites often use as security questions to reset your password - and you might just be giving the answers away for all to see!
Be careful with what you post on Facebook - those fun viral posts may not always be quite so fun & innocent after all...
Many websites now use stronger password reset processes, such as emailing a password reset link or texting a security code to your phone, but there are still many sites where a simple question is all that's stopping an attacker from accessing your account.
Make sure you protect yourself from this type of attack!
Your mobile phone
Do you read and send email from your mobile phone? And do you access Facebook, Twitter, and other accounts from it too?
It can be convenient to let your phone log you into these without asking for a password every time, but if your phone is ever stolen then the thief will also be able to access these apps too. It's often a good idea to do the following:
Add a pin
The best defence is always to require a PIN when unlocking your phone (or your phone may offer fingerprint scanning or facial recognition instead - these are equally good). You can often make this less intrusive by only asking for your PIN if your phone has been left locked for 5 minutes or more.
Enable the "Find my phone" feature
Many modern smartphones come with a "Find My Phone" feature to help locate it if it's ever lost (for as long as it still has power & a phone signal).
This feature also often allows you to remotely delete all data, preventing anyone from accessing whatever is on your phone.
If you lose your phone
If you ever lose your phone then you should try to find a computer and change the passwords for your different accounts straight away, just in case a thief does manage to access your phone.
We have more in-depth advice to looking after your phone on our page here.
Avoid getting locked out
Whilst you're reviewing your security settings, you might also want to check any settings for proving your identity should you ever get locked out.
Most of us forget our passwords every now and then. Normally we can easily regain access by following a simple password reset process, but what if we forget the answers to the security question or if we don’t have access to our email to get the password reset link?
A little forward planning can help here - see if your favourite websites offer these options:
1) Set up extra contact info:
- Adding contact details, such as a phone number or extra email address, can help you prove your identity if you ever find yourself locked out.
- Remember to review these regularly in case your details change.
2) Trusted Friends:
- Facebook also offers a "Trusted Friends" feature, where you nominate 3 (or more) friends to prove your identity and help you regain access.
- Don’t worry, Facebook have checks in place to stop cheeky friends from abusing this & getting access to your account without your permission!
3) Recovery codes:
- Recovery codes are effectively a secondary (long and complex) password that you keep securely locked up (in the care of your solicitor for example) and use to reset your main password.
- You must make sure you look after this code and treat it at least as securely as you would any other password.
Take a look in the "Account" or "Security Settings" sections of your favourite websites – see what they recommend and if there’s anything you can set up today.
You might also be interested in what happens to our online accounts when we die. A little forward planning now can save our loved ones a lot of hassle later on.
How else can I keep my accounts secure?
A good antivirus package on your PC can help prevent some viruses from silently stealing the passwords to our online accounts. You should also keep the software of your computer up to date too, and never open any email attachments that you're not expecting.
BeCyberSafe.com have a lot of practical information about protecting yourselves from viruses - it's definitely worth a read.
Enabling activity notifictions
Many websites have the ability to send you an alert if they ever detect any suspicious activity, such as if someone tries logging into your account from an unrecognised device or tries to change your password.
Knowing that someone is trying to access your account will serve as an immediate call to check all your security settings & to perhaps change your password. Search the help section for "activity notifications" on your favourite websites for how to enable this.