Estimated reading time: 4 minutes
Almost every online service and I am talking about web services that have been in the market for a certain time, will ask you to set your password when you register a new account. Password hints are a bad idea and you should never do it. Hereās why, and what to do instead.
What Are Password Hints?
Iām talking about the password hint boxes ā something the newer generation of readers most likely doesnāt even remember seeing. At the time when it belonged to Yahoo, most of the time when one was creating an account, they had to set some questions in reaction to which the password could be retrieved. Thatās when you try to reset your password and as a result of that, they ask you some questions before you proceed further.
These password reset questions, also commonly referred to as security questions or password hints, were supposed to serve as another form of identification for a user. Therefore, they are often questions that would only you would know the answer to, or be expected to know the answer to. Thatās things like the first name of your first pet, your motherās maiden name, the street you were born or grew up in and so on.
Other versions include make your questions; however, here, the problem is that one may forget the answer. Worse still are password cues that assist the user to remember passwordsāthis is a direct to use non-random (and therefore; insecure) passwords.
Why Password Hints Are a Security Threat
As convenient as they may seemā you donāt just get a password reset on request, you need to prove who you are first ā password hints are a terrible idea and you should never use them. This is because do not superimpose an added layer of protection but rather an added layer of risk.
It gets back to a simple fact that to make better security one has to reduce the attack vectors ā areas where an attacker might be able to attempt a breach. Passwords by themselves raise your risks, however, that is the art of the trade, as without a password, even in a passwordless world, you couldnāt get in. Password hints add even further to the devastating surface as they give the attackers a way how to get your passwords.
And the reason is that strong passwords are random passwords. This is because password hints are not random; you can usually get the answers. Things such as your motherās maiden name, your petās name, or the name of the street where you grew up are facts that are easy to guess.
This information for the most part resides in the social media accounts of individuals and even not, a very basic social engineering attack could extract this from you or someone you are close to. After all, few of us will volunteer our passwords, however, when asked something like āHey, Iām from the same neighbourhood as you,ā most people will proceed to give their childhood address. āI grew up on this street,ā I said pointing at the map, āMadison Street.ā If you answered it truthfully, as almost any person would, you handed over somebody your password reset function.
What to Use Instead of Password Hints
The only way to solve this problem is to not include password hints or password reset questions. Unfortunately, there are some companies, oh hello Microsoft, that donāt give a hoot about the massive threat they are and insist that you use them. The only thing that you can do in this case is enter a nonsense response (you can even copy it somewhere anonymous if you desire to be even safer).
That brings you to the next question of how you can protect your accounts. Besides, without hints, it is very unlikely that you can reset your password if the need arises. Password managers solve this issue: these useful applications create, save, and even retrieve your passwords automatically. Using them means you would probably never have to reset your passwords, and therefore giving nonsensical answers will not disadvantage you.
Password managers are effective apart from eliminating the need for password hints. On password hygiene, they do all the hard work whereas other password-related attacks have less chance of being accomplished at all.
Source: Howtogeek
Discover more from News Round The Clock
Subscribe to get the latest posts sent to your email.