Are you Iron Man or the Hulk?
Have you seen a quiz on social media that promises to identify which Marvel character you’re most like? How about one that will guess your favorite Disney princess? Sometimes it feels like my whole social media feed is made up of people posting their results!
And don’t you hate it when you’re trying to log onto a website, but you can’t remember your password? Frustrated, you click a link called “forgot my password” and answer a couple of questions. You input where you grew up and your first pet’s name, and then you’re able to reset your password and log in.
But have you ever noticed the similarity between the questions those quizzes ask and the questions that companies use to reset your passwords? This Cybersecurity Awareness Month, as we focus on stronger passwords and using multifactor authentication, it’s easy to overlook a critical component of the security model: password resets.
As more people started using more websites, it became impractical to field all the support calls from users who forgot their passwords, so the technology industry came up with the self-service password reset. By using some clever questions that only you know the answers to, you can reset your own password without calling into the website for help. Many websites now require you to provide a few of these “challenge questions” when you create your account. Other websites use third parties to pull information from public records or credit reports to verify that you are who you claim to be when resetting your password.
Very quickly, clever hackers and scammers recognized that the answers to these questions don’t change, and by collecting these personal tidbits, they could bypass the password. Cybersecurity professionals have made a number of improvements to the flow that can reduce the exposure, but password resets remain a ready flaw for attackers to exploit. So, the next time you’re tempted to see which comic book character you are, ask yourself these questions:
- Is this information something I’ve ever used to reset a password?
- Is this something specific about my past that won’t change, like the name of my first pet or the color of the house I grew up in?
- Would I feel awkward sharing this with a stranger in line at the coffee shop?
If the answer to any of those is yes, don’t be a victim by living in Fantasyland and telling yourself that it can’t happen to you. Reconsider whether it’s wise to risk your data just to find out what Marvel or Disney character you are.
