Many accounts permit or require users to answer so-called “secret questions”. The idea is that you can provide answers to questions so that they can verify that it’s you answering the questions. Unfortunately for most of these questions the answers are easily obtained by an attacker. Here we discuss how to prevent those attacks so that your “secret answers” to their “secret questions” can actually be secret.
First of all let’s recognize that the answers to most secret questions can be obtained by a good researcher. “Where did you attend high school?” “Where were you born?” “What was the model of your first car?” In order to make your answers secret you must somehow provide an answers that’s more that just the real answer. One technique is to use a password manager and to save the questions along with a randomly generated answer. “What is your mother’s maiden name?” might be answered “dFr%@4d“. As long as you have a secure, private place to store the question and the answer so that you can find it when you need to authenticate, this is a secure method of solving the problem. However, most people would prefer to answer the questions in such a way that they can remember the answers.
A simple method for this is to have secret word. (For extra security you can have a different word for each account – but you will need to remember that word!) For this example let’s assume that my secret word is “markers“. That’s my secret word for all of my personal accounts. I will use that everywhere. Therefore the answer to all of my secret questions will be prefixed with that word. The answer to “Where did you attend high school?” changes from “Randolph High School” to “markers Randolph High School“. The answers to “Where were you born?” and “What was the model of your first car?“, would be “markers Boston” and “markers Sentra“. As long as I do not tell anyone my secret word then my answers are secret, and they can’t be hacked, even if an attacker knows the real answers through research.
In review, select a secret word. One that you do not tell anyone. Then use that word in front of the actual answers to any secret questions. Suddenly all of your accounts are far more secure than they were before.