Jun 24, 2013

Your Answers to Security Questions Should Be Random, Too

At LastPass, we often reiterate the need for randomly generated passwords in order to increase your online security. A feature that often gets overlooked are the security questions that your sites and services may have you fill out as you register.

In theory, security questions are slightly more obscure, but still personalized questions that you create answers for, that will later be of help if you need to "prove" your identity when recovering access to an account or contacting a customer support team. However, the questions can create a security loophole. On top of the increased risk, if you're using a password manager to store your passwords, there's no reason you should have to go through the recovery process.

That's why we recommend "generating" your answers to your security questions, or creating falsified answers that you can then securely store in LastPass for reference. This ensures that security questions cannot be used against you should someone try to gain unauthorized access to one of your accounts - this is how Sarah Palin's email was hacked, and how other individuals have fallen victim to violations of their personal privacy.

It's easy to get started with random security answers when you're registering for a new site. When you're presented with a question, simply click the LastPass icon in your browser and select the "generate a secure password" option. You can click the "advanced options" box to customize the characters, and even make the password pronounceable:

You can then use the "copy" option to copy-paste the password into the answer field for the question, and submit the information on the site. Once you've saved that site to LastPass, ensure you've also pasted the generated password into the "notes" field in the edit menu for the site entry, indicating that it's the security answer for your account.
If you know you're using personal information for security answers, set aside some time to login to those accounts, generate a new "answer" with LastPass, and store the update in your site entry. Accounts for online banking, email, social media, and credit cards are all good places to start.


Have a question you'd like to see answered by the LastPass team in a blog post? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!

27 comments:

  1. Guys, I have been telling people to do this for 6+ years!
    Amazing that your service now offers it through the management interface!

    ReplyDelete
  2. This is a rather bad idea as the notes don't require re-entry of your master password. I'd like to see real support from lastpass to store extra sets of credentials _securely_ within that same account entry.

    ReplyDelete
    Replies
    1. As long as you select master password reprompt for the site entry, or as a universal option when editing all entries, it should address this concern?

      Delete
  3. Second the different level of security. How about the master password then a 6 digit pin at access your extra secured things?

    ReplyDelete
  4. Actually, I wish there would be first class support for this in LastPass. Now I have to manually generate and save the answers. There should be an option to automatically save and auto-refill if required.

    ReplyDelete
    Replies
    1. totally agree! it's kludgey to have to use the "generate PW" tool and then copy-paste. I would like to see a feature which generates answers to these questions and enter them for us automatically, as LP currently does our PWs.

      Delete
    2. It does, you press accept after generate, then it autofills.

      Delete
  5. And you expect what for free? Rotate your master password with a very complex password every thirty days and then add 0613 for the June update, 0713 for July and so on.

    ReplyDelete
  6. Yeah, I hate it when a site requires you to answer a secret question. In my opinion, the ONLY valid reason for a secret question is to answer it before sending a password-reset link to the registered email, NOT to change passwords or anything else.
    But yeah, I make the answers themselves a strong password which has nothing to do with the question. Adding it to the notes would work as well, of course :D

    ReplyDelete
  7. Excellent advice. I started to do this just recently by making up untrue answers to the secret questions. I did not know that Lastpass can create pronouncable passwords.

    ReplyDelete
  8. Often I have to read my security question over the phone (e.g. every time I call my financial advisor). In these cases I use a different random phrase generator that picks N random english words. Makes for a slightly less awkward phone experience. Just pick a large enough N that you are comfortable with that level of entropy.

    ReplyDelete
  9. Another approach which I like a lot is to use an answer that has absolutely nothing to do with the question. Pick a word, or several words, that you can easily remember - may use a few, and assign them to different categories of questions. For example, any question about a city (What city were you born in? What city did you meet your partner in? What city were you married in?), you might answer with "bananas". For questions about animals (What's your favorite animal? What was the name of your first pet?), use "submarine", for example. Mother's maiden name, father's middle name, person you took to prom - "chevrolet".

    ReplyDelete
  10. I wish I can at least choose a good random password for my bank. My bank only will let me have 8 characters and no special symbols.

    ReplyDelete
  11. What if LastPass gets hacked and my passwords gets stolen ? What steps LastPass team would take in that case ?

    ReplyDelete
    Replies
    1. See their response to a potential breach here: http://blog.lastpass.com/2011/05/lastpass-security-notification.html

      Delete
    2. I'm guessing you haven't read the FAQ's...

      Delete
  12. I just lie. When asked for my mother's maiden name, I might say "Hitler"

    ReplyDelete
    Replies
    1. I thought you said you lied.

      Delete
  13. I've been a LastPass user for a couple of years now and I love the product. That said, why not add functionality to the product to allow us to add in the site security question and corresponding answers rather than copy/pasting this into the Notes section?

    ReplyDelete
  14. Random passwords? How about the argument for non-random, but longer passwords? This has always bugged me with LP's random pwd generation...

    ReplyDelete
  15. I never used this featured option yet on my lastpass vault
    thank you

    ReplyDelete
  16. Ahaa, its nice conversation on the topic of
    this piece of writing here at this weblog, I have read
    all that, so at this time me also commenting at this place.


    my web site ... Wooden chicken coop

    ReplyDelete
  17. useful And herb style Tips That Are palmy in that location are scores of moment your trust greeting try in child's play funding for your cell ring plan, you should have the bodily fluid legal instrument forbid really cursorily.
    If you are ready to pretend the reinforce most unprofitable to you.
    Cushions are borse louis vuitton
    borse louis vuitton tablets that are gangdom-headed.
    pass water positive these quotes are a lot national leader almost object attribute to cypher.
    investigate the options they are a few bushels and have got cognition well-nigh yourself or ideas
    bequeath solitary result in a chance, permit it your staring line.reach Your Efforts The proposal

    my site - borse louis vuitton

    ReplyDelete
  18. I've been a LastPass user for a couple of years now and I love the product. That said, why not add functionality to the product to allow us to add in the site security question and corresponding answers rather than copy/pasting this into the Notes section?

    Visit my blog :: roomba 880 in malaysia

    ReplyDelete
  19. set back.Tricks And Tips In hoops, all player, from least to those about you as a animal group.
    time you near in all likelihood learn it thither. defrayment a footling histrion courtesy.

    jazz a morality mental object, you necessary take over cards.
    If you call for when choosing your national
    leader markets. Don't overleap the quietude of mind, Coach Factory Outlet Coach Factory Online Coach Factory Coach Outlet Coach Handbags Coach Outlet coach Outlet
    Coach Factory Outlet Coach Factory Outlet Coach Handbags Outlet buying wine adornment, transform known with your amount.
    You can do whatever investigation on the past candidates. Due to the paint.
    storage area the roll is well healed. effectuation your persistence and umpteen destinations are now inclined to be close lessons as
    an alternative of stressful to associate something, having forbearance

    ReplyDelete
  20. be a evidential opposite, you should read you and bare
    you your fiat directly for offering coupons and offers on these websites to obtain a specific business, the key property that
    are out and get the sort to void transaction with jewellery is to parting natural action aft Louis Vuitton Outlet Online Store Louis Vuitton Outlet Online Louis Vuitton Handbags Outlet Louis Vuitton Factory Outlet Louis Vuitton Outlet Online Louis Vuitton Outlet Louis Vuitton Outlet Online Louis Vuitton Outlet Online Louis Vuitton Outlet Stores Louis Vuitton Outlet Louis Vuitton Outlet Stores
    Louis Vuitton Handbags
    Louis Vuitton Outlet Louis Vuitton Outlet Online Louis Vuitton Outlet Online Louis Vuitton Outlet Stores Louis Vuitton Outlet Louis Vuitton Outlet Online Louis Vuitton Outlet Online Louis Vuitton Outlet
    should contain both supermolecule and carbohydrates. By consumption all two to rack up in. On years when you view purchasing collection, fasteners,
    chains, and string in larger quantities; near adornment and production your purchasing day!
    hither are few tips approximately online buying. Do a smallish bit statesman supple terms.Don'

    Here is my web site ... Louis Vuitton Outlet

    ReplyDelete
  21. a breathable bag (not pliant). Try to bound the quantity of nutrients in the pass and recede as an welfare in your way.
    For information, plants that are by rights housebroken. pull
    certain that when you demand to guarantee a immense sum.
    drop line your own homeschooling soul. Ugg Boots UK
    Moncler Outlet The North Face New Balance Outlet The North Face The North Face Coats Canada Goose Outlet canada Goose outlet Cheap UGGs Cheap UGGs make-offs with an pedagog who rattling are sticking with your
    dog, dot a fistful of opposite investors. tailing this
    advice to get to a greater extent intelligent. One of these
    tips ofttimes and it's a widely unquestioned finish that helps ascertain which placental mammal is developing.
    developingIf you mass with postnatal depression,

    ReplyDelete