(405) 919-9901

My state-wide teaching tour continues next Monday, February 27, 2012, 6:30 p.m. at the Choctaw Library in Choctaw, OK. Last week’s class at the Mustang Library was rescheduled due to my being under the weather; I’ll be there Thursday, March 1, at 6:30 p.m.
The class, “Fight the Internet Bad Guys and Win!” will teach you how to defeat the Internet bad guys who want to mess with your life. The class is free, one night only, and will last about 90 minutes. If you use a computer, you should attend. Visit my website for more details.

One section of the class is devoted to security questions. Remember last week, when I discussed passcodes (formerly known as, “passwords”)? Passcodes are great, but what if you forget your passcode, or lose the piece of paper it was written on? To solve this problem, so-called “security questions” were invented.

Security questions have been a common requirement for most online accounts created within recent years, such as email, Paypal, Yahoo, Amazon and the like. The thinking is that, if you forget your passcode, the security questions and answers you created when you first established the account can be used to verify your identity.

For most online accounts requiring a passcode, you’ll see something on the login page that says, “I can’t access my account,” or, “I forgot my password.” If you click on that link, you will be asked your security questions, the idea being that you, and only you, will know the correct answers. Once it has been proven that you are who you say you are, a new passcode for the account can be issued.

This scheme is nice in theory, but, in practice, can lead to disaster. A few years back, Sarah Palin’s email account was hacked because she gave truthful answers to Yahoo’s security questions. The answers to questions like, “Where did you meet your spouse?”, “Name of your first child?”, “Name of your elementary school?” and “Name of your dog?” are common knowledge for public figures like Palin. To hack her account, all it took was one smarty-pants bad guy clicking the, “I can’t access my account” link for the email account gov.palin@yahoo.com. After answering the questions to which everyone in the world could easily find out the answers, bang, he was in and she was out.

In the case of security questions, honesty is not the best policy. Best practice is to give fake answers to security questions, answers that nobody (including family members) could possibly know. For example: Q: Where did you meet your spouse? A: cheeseburger. Q: Name of your elementary school? A: Bozo the Clown. Q: Name of your dog? A: flabadip. Even though they may never be needed, write down your answers anyway and keep them in a secure location.

If this all sounds too silly to believe, well, I admit, it’s pretty silly. Not nearly as silly, though, as having your email account hacked because the answers to your security questions can be gleaned from your Facebook profile. To learn more, read my columns about the Palin email hack from September, 2008, found on my website.