Friday, December 07, 2007

Security of personal info

Next time you open up a bank account or apply for a credit card and they ask for a security question DO NOT use mother's maiden name. That has long been the default security question, but it is most definitely not a good idea.
For most people this information is too widely known to be an effective security question.

I took down all genealogy info from my website a few years ago when I came to the realization that web sites, including banks, were still relying on this little tidbit of info to "prove" that someone had a legitimate claim to change or discover passwords and other secure info under the trust of the website.

Just as bad as that is "What brand was your first car" For quite a large number of people
that will be one of the following: Dodge, GM, Ford, Honda, Toyota, Volkswagen, Chrysler
...even if you add in some more obscure brands and all the luxury brands that are not likely to be first cars, that's not that many permutations to try before the attacker hits paydirt.

The best option of all when choosing a security question is if they give you the option of making the question up, then you choose a question thatyou think ONLY you would know the answer to and you won't forget. Again, try for something that can't be guessed in a limited (small) number of tries and that is not easy to look up on the internet or ask one of your relatives for the answer.
...so "How many kids did Aunt Sue have?" would be a bad choice. "What song did your ex love that you secretly hated?" is better.