• T. Kearny Vertner, III

The Legend of Good Security

In addition to good passwords and multi-factor authentication, a robust legend should be a cornerstone of your security practices.


In many previous articles, I've written about the importance of choosing good passwords and never reusing them. Additionally, adding some form of multi-factor authentication is essential; this adds a token, certificate, or even a temporary number generated by a mobile device to the mix. The third element to discuss are your security questions and the legend you use to answer them.


What's Your Legend?


Many times your accounts will feature a function that allows you to answer a series of security questions that only you should know. The classic was your mother's maiden name; however, we now live in a world where a quick visit to a genealogy site, online public records, or a personal information service can trivially yield the correct answer. Most sites have moved on to slightly more clever things, like asking what your favorite band is, the name of your first pet, or the make and model of your first car. All of this information is your legend. A legend is just a story, and most of us will use the one legend we already know: the real one.


This is increasingly a problem. In a world of social media, we're all inadvertently providing the answers to these questions. Your friend on Facebook makes a post asking you to fill out and share what kind of things you've done or places you've been. Another friend encourages you to fill out a quiz that helps you figure out what Hogwarts house you belong to. All of these benign activities are fun ways to get to know each other, but they have side effects. One minor effect is that they further help advertisers focus their ads with the information collected. This isn't just gathered from how you answer the questions to determine which Avenger you are, but the fact that you were even interested in which Avenger rather than any of the other quizzes they offered.


The more worrying effect is how this puts your security question answers into a substantially more public record. It's akin to writing an autobiography and scattering pages from it across the internet. Depending on the volume and method you share, this might be a relatively minor concern, but it does expose a potential attack surface.


What's Your New Legend?


Fortunately, this potential vulnerability can be easily mitigated with a simple and fun creative writing exercise! First, let's consider some common security questions, such as:


  • What is the first and last name of your first boyfriend or girlfriend?

  • Which phone number do you remember most from your childhood?

  • What was your favorite place to visit as a child?

  • Who is your favorite actor, musician, or artist?

  • What is the name of your favorite pet?

  • In what city were you born?

  • What high school did you attend?

  • What is the name of your first school?

  • What is your favorite movie?

  • What is your mother's maiden name?

  • What street did you grow up on?

  • What was the make of your first car?

  • What is your favorite color?

  • What is your father's middle name?

  • What is the name of your first-grade teacher?

  • What was your high school mascot?


Now take out a piece of paper and answer these questions with new answers. If your real high school mascot was the Spartans, your new answer could be the Trojans. Want to make it even stronger? Make it something completely nonsensical. What city were you born? Ham Sandwich, of course! After you finish writing your legend, go through and start changing your security questions on all of your accounts. If you're crunched for time, start with the most important, including your e-mail and banking accounts. Once you're done, take that paper and place it somewhere safe. Why did we use paper? Because an electronic document is more likely to be leaked and exploited.


Conclusion


Good password practices and enabling multi-factor authentication are critical to keeping you a hard target. It's not a matter of if some of your account information is exposed, but when. If you can make it so that an exploiter needs five or six pieces of data instead of just two, you'll substantially reduce the likelihood that your data will be breached before you can change your password. Creating a good legend adds an extra layer of security while giving you a little more flexibility to share fun personal details on social media (like your Top 5 Movies) without worrying that someone could use these to gain access to your bank account.


Drop Me a Line, Let Me Know What You Think

© 2020 by T. Kearny Vertner, III. These are my views and do not necessarily reflect the policy or position of the Department of Defense or its components. Proudly created with Wix.com