Jan 13, 2012

New Year's Resolutions with LastPass: #5 Generate Your Answers to "Security Questions"

While the password generator is key for diversifying and strengthening your account passwords, it's also a great tool for providing answers to common "security questions" for your accounts.

Security answers are often included as a second form of login verification or as part of an account recovery process, most frequently with online financial institutions and email accounts. Although many sites have made an effort in recent years to increase the obscurity of the security questions (at least, we hope they're generally better than this), the fact remains that the answers to common security questions are more accessible than ever before. Even if you're not a high-profile target, by generating answers with the LastPass password generator you'll help reduce the risk that someone may use security questions to compromise your accounts.

When registering for new sites that require an answer to a security question, it's simple to quickly generate an "answer" and add it to the new site entry stored in LastPass.

Let's say you're signing up for a new Gmail account. After going through the set-up process, we go into the account settings to create a security question & answer for account recovery purposes.


After selecting a question from the drop-down options, we go to the LastPass Icon, choose the Tools menu, and open the "Generate Secure Password" feature:
When the dialog opens, you can check "Show Advanced Options" to customize your generated password:

Click "generate" to create a new password with your customized options, then "copy" to copy the password to your clipboard. Go back to the security answer field, and paste the generated password. After confirming that your new answer is accepted by the site, you can go to your LastPass Icon, click on the site name listed at the bottom of the menu, and open the "edit" dialog. Paste the generated password in the Notes, also noting which security question you chose.

If you know you're using personal information for security answers, set aside some time to login to those accounts, generate a new "answer" with LastPass, and store the update in your site entry. Accounts for online banking, email, social media, and credit cards are all good places to start.

Generating answers with LastPass doesn't directly affect your Security Check score, but it will improve your overall online security.

Best,
The LastPass Team

24 comments:

  1. Any chance we could get something specifically built into the password saving dialog to perform and save this specific function. I currently have them all saved as secure notes but would love to see them nicely saved and be able to copy them from the browser extensions directly.

    Thanks for LastPass!

    ReplyDelete
    Replies
    1. Thanks for the suggestion, I'll pass it to the dev team for their consideration. It does require several steps at the moment, automating it would be optimal.

      Amber

      Delete
    2. I save the question and answer in the Notes section of the login record. That way when you need the answer, you can just bring up the record in edit mode, select and copy the answer, close the record and paste it into the question's answer box. I think it's easier than searching your secure notes, and each answer is located with the associated web site.

      Delete
  2. Login security is way too complex. Lastpass helps, but this is ridiculous. Banks, etc. have to take initiative and come up with better and standard solutions... Especially for mobile.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Can someone explain this one to me? If you don't intend to use a memorable security answer (with which I agree), surely it is safer not to use a security question at all!

    Sure, if a website doesn't give you that option, using a sufficiently complex security answer is a good way to make sure the security question can never be used to retrieve the password. I get that part.

    But LastPass contains the primary password, so I don't see the use in storing the security answer there too. If you have LastPass access, you have access to both. If you don't, you have access to neither. By extension, I don't see the advantage of an automatically generated answer over some random keyboard gibberish.

    ReplyDelete
    Replies
    1. It's a valid point, Michiel, thanks for sharing your thoughts. Some sites do require security answers when you're registering, though, so sometimes you simply don't have a choice. ING Direct, the online banking service, is one example. If a user is going to be forced to answer a security question, this at least provides an option for them to avoid submitting personally identifying information. The two articles linked to above (http://www.pcworld.com/article/209584/cops_hacker_posted_stolen_xrated_pics_on_facebook.html and http://en.wikipedia.org/wiki/Sarah_Palin_email_hack) also show extreme cases were security questions can be used to compromise an account when the personal information is readily available.

      Amber

      Delete
  5. Increasingly, banks are issuing code verification devices about the size of a small calculator. These are a real PITA. I have two already, and they are not convenient to carry around on top of all of the other widgets I have.

    ReplyDelete
  6. Increasingly, banks are issuing code verification devices about the size of a small calculator. These are a real PITA. I have two already, and they are not convenient to carry around on top of all of the other widgets I have.

    ReplyDelete
  7. Google Authenticator is the equivalent of those proprietary Bank token calculators...

    Perhaps more and more sites will link to the Google Authenticator if we're lucky.

    ReplyDelete
  8. Amber: Yes, I get that. However, what is the purpose of storing the security answer? If you have LastPass, you will never need it. If you don't have LastPass, you won't have access to it. So I just do some random keyboard mashing in those cases, which is faster than having LastPass generate something.

    ReplyDelete
    Replies
    1. Here in Belgium, mostly every bank mandates the use of hardware tokens to authenticate to their sites, and also to sign most important transactions. It's a pain in the beginning, but one gets used to it.
      So there, no need any more for the security questions.

      Still, when calling their call centers, the only way to authenticate still seems the old security questions way. Having the customer read out the result of the token doesn't solve the problem, as the call center cannot validate it. This may be a reason...

      Delete
    2. Michiel, keyboard mashing may be physically gratifying, but it's an insecure way to generate a random sequence. In fact, when asked to quickly press random keystrokes generate a surprisingly repeating sequence, usually something with a lot of "asdf;lkj" characters in it. And if you do this today, you certainly won't remember the similarity to the sequence you generated for another site last month. Your method will work, if you record the sequence in case you need it, but it won't be as secure as using the LastPass random generator.

      Delete
    3. I can do some pretty random keyboard mashing. Or yes, let Lastpass generate the sequence. Fine. But that's beside the point here.

      The point is your sentence: "if you record the sequence in case you need it".

      Try and follow this line of reasoning: Why would you ever need to use your security answer? When you lose the site's primary password. How could you lose the site's primary password? If you lose access to your Lastpass account. If you have no access to your Lastpass account, you'll also not have access to the random security answer you stored there.

      In conclusion, if you ever need your stored security answer, you will not have access to it. Ergo, storing your security answer is useless.

      Where is the flaw in my logic?

      Delete
    4. Many sites require you to answer one of your security questions if they detect you are logging in from a new device or browser. Therefore, you would need the security answer in addition to your password.

      Delete
    5. Really? I've never encountered this. But OK, that does seem like a fairly good reason. :-)

      If any website ever asks me for the security answer, I'm in trouble.

      Delete
    6. Bank of America does this.

      It's perhaps ironic that in setting up all my passwords, Banks generally were the ones imposing length limits which limit how secure their passwords are.

      Delete
  9. I travel quite a bit for work. Recently I was on a trip and logged into a site (Google maybe?). I got a message back about being somewhere I'm usually not, and asked me for further info.
    So: I do need my security answer in addition to my password when the site is trying to be smarter(?) than me. ;)

    ReplyDelete
  10. OK, dumb questions coming up...

    So, just to clarify... if a site asks me for my "Mother's Maiden Name" this is just to push me into choosing something I'll obviously remember. If I set it to "MinnieMouse", "AttillaTheHen" or "jkjdhfhj9897" there's no actual check by anyone/anything on whether they actually are my mother?

    I would guess most people's innate reluctance to deliberately put in something incorrect would mean the overwhelming percentage do use the actual name.

    I could see potential problems if this type of security answer is ever asked by a real person as part of a telephone query I initiate (especially if the call-centre has been outsourced offshore hmmm) - any ideas on how using a gobbledegook name might go down then?
    --thanks Ron

    ReplyDelete
  11. Instead of a random generated answer, what about generating a known wrong answer and then recording that in secure notes. For example, if my mothers name is Rachel, I use Molly instead. That is easy to tell the banls security person over the phone, but nothing anyone could attach to me (ezcept LastPass!!). Of course, I would use a different name each time.

    Also, the question was brought up about why I would ever need this if LP has the site password stored. I thought of another scenario why you might need this. What about of a bank suspects passwords were stolen. They might clear all passwords and require persons reset their passwords by reanswering the security questions? I suppose that could be another reason.

    LP: How about a random word generator for cases such as this instead of a random hash? A "security word generator" per-se? (With warnings of course not to use this for site passwords!!!). Then that random word is stored for potential use later when required.

    ReplyDelete
  12. Sorry for a late comment on an old post but...

    The problem I have with totally random security question answers is that my bank, credit card company, etc. are asking me to give those answers over the phone when I call them. I'm not so interested in having to spell "q5Q1h&oMqO9kk$8t" for them when they ask me what my mother's maiden name is.

    However choosing memorable/pronounceable, but WRONG, answers does sound like a good security measure.

    ReplyDelete
    Replies
    1. We do offer a "pronounceable" option in the advanced settings of the password generator tool, if you check it the results will be much more usable in the scenario you mention. Great comment!

      Delete
  13. Is there a "fly-over" instruction manual for LastPass? I'd just like the 1-2-3 version. A here's how it works and here's what you have to do to make it work approach. Thanks.

    ReplyDelete
  14. In fact even if you have a job working for a company that you don't
    own. Develop your own 'physical' product, or perhaps even an 'information' Product that you can set
    up an e-commerce site to sell. If you are someone who loves to
    write then this is the best option for you to make money at
    home online.

    Here is my website - Ways to make money at home

    ReplyDelete