The biggest problem caused by the exposure of Yahoo! account information, for lawyers, is probably not the passwords. Even if you were re-using a password – which you shouldn’t – you can reset it, and the other sites using it and render the password useless. Worse is that the hack may have exposed your answers to the security questions (“what was my first dog’s name, where did I meet my spouse”). Security questions have not proven to be a very secure check on protecting accounts. Because these answers are usually based on your personal history, they are fixed in a way that passwords aren’t.
Security Questions are Bad
It only took me a couple of web searches to start to find the security questions for Yahoo!, often posted in “I’ve forgotten my security question for Yahoo!” forums:
- my youngest child’s nickname;
- where did I spend my honeymoon;
- what is the last name of your best man / maid of honor
Unlike a password, none of those answers will probably change. How many people have posted wedding pictures online, or added a photo of a child or pet to Facebook or even in their Twitter bio. Those pictures often include descriptions of the people, or tag them or otherwise identify them. If people or animals or locations are both your security question answers and your public shared information, you’ve got a potential problem.
If you look at a more complete list, you’ll also notice that some of the answers – child or dog names – are probably more common than others – name of hospital you were born in. I expect that the questions for which the answers are more memorable are more often used. Just like your fingerprint, once this information is captured in the context of a security question, that question is exposed everywhere else you’ve used the same answer.
If you are a Yahoo! user, you might as well close the barn door even though the cows have already run off. Access your account and delete your security questions. This will at least remind you of what the questions were and you can note that down in case you use other sites that use the same security questions.
I’m not really that surprised to see that Yahoo! suggests that deleting security questions will increase the security of the account.
Security questions and their fixed answers are one reason I’m not a fan of biometrics. Yes, you carry the second factor with you as a finger or eyeball or whatever. But it also means that the matching data for that biometric element is stored somewhere that could potentially be hacked. Like the people who store digital copies of their house keys in the cloud, if someone is able to download that data, it can be used to make keys without your knowledge. (Not that that probably matters)
What’s the Alternative
Yahoo! offers it and so do many others: it’s two factor authentication. Rather than storing the second factor online, you carry the second part with you. No, it’s not perfect, because you could lose the device on which the codes are generated or you could have the text-message-code-container intercepted. But if those things happen, it’s much more likely it’s about you than it is that it’s about a large pile of steaming personal data held by a multinational.
As I was contemplating my Flickr account, which is my only active Yahoo! service, I thought of the other places I have security questions. Government tax agencies, retirement and investment sites, and banks were the ones where I have seen them most often. In other words, the places where I store some of my most valuable information or resources.
Hopefully we will see these sites transition to two factor authentication as well. In the meantime, we may have reached that point where any service that still uses security questions rather than two factor authentication isn’t a service we want to use. It doesn’t matter if they can secure our content or their application, if they are using a piece of data that we can’t fix if they lose it.