What’s your secret question (Part III)

If your secret question is easier to guess than your password, your password is effectively useless. From the abstract of a recent Microsoft research paper:

All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers.

Since you often need to provide answers to secret questions when signing up for online accounts, I suggest using strings like “lJOcK6gS”. You can employ something like Password Safe to generate those strings and store them.

Read more about passwords