It wasn\u2019t as easy as it should have been; Apple wouldn\u2019t allow me to change anything in the Security tab until I could answer my security questions perfectly. And the answers I put in did not match.<\/p>\n
When I tried to change the security questions, I found out that the secondary e-mail used to perform such operations was not verified. I still have no idea why Apple would treat an unverified e-mail as active, but it did, and thus began an endless circle.<\/p>\n
I clicked the Verify Email link several times but received no confirmation e-mails. Everything was going wrong. It wasn\u2019t a good time to ask tech support for help, so I had only one way out \u2014 I had to hack my own security questions.<\/p>\n
How I hacked the questions<\/h3>\n
The questions that I chose four years ago were not so difficult. But thinking about the answers, I realized that anybody could figure them out by looking at my CV or social network account.<\/p>\n
\u2014 Where was your first job?<\/i>
\nLinkedIn is an obvious place to find the answer to this question.<\/p>\n
\u2014 Where did your mother and father meet?<\/i>
\nMy parents grew up, met each other, and got married in the same city where I was born. A lot of people have the same life story. And many people list their native cities on social networks (and social networks usually ask people to do that!). This question is not secure at all.<\/p>\n
\u2014 What is your favorite children\u2019s book<\/i>?
\nWell, I had several favorite books as a child, but the most likely answer was The Hobbit, by J. R. R. Tolkien. Like the other answers, this one wasn\u2019t exactly a secret: First, the book is very popular. Second, my university friends and classmates know that I wrote several term papers about The Hobbit. My half-finished dissertation was devoted to eleven translations of The Hobbit into Russian! In the end, the only mystery about this question was whether I wrote the shorter title or the full name \u2014 \u201cThe Hobbit, or There and Back Again\u201d \u2014 four years ago.<\/p>\n
![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/09\/06021558\/security-questions-screenshot-en.jpg\")
<\/p>\n
If I knew all of the answers, then why didn\u2019t my answers match? It\u2019s simple: I had English as the main language of my account, and that meant the security questions were also shown in English. But four years ago I answered them in Russian. When I switched languages and reentered the same answers, they matched. But even for people who don\u2019t switch languages, security answers may become problematic: Did you use proper capitalization? Abbreviations? Nicknames?<\/p>\n
I began thinking about what makes a good security question \u2014 and answer.<\/p>\n
What is a good security question? If you have to choose a question from a list, which should you choose?<\/h3>\n
Five criteria<\/a> help us distinguish good security questions from bad.<\/p>\n 1. Obscurity<\/b> \u2014 questions must be hard to guess or research. For example, a favorite of many banks \u2014 your mother\u2019s maiden name \u2014 sucks for sure. I won\u2019t waste your time covering the 9000 ways to figure that one out.<\/p>\n 2. Stability<\/b> \u2014answers must not change over time. Avoid \u201cfavorite\u201d questions: Your favorite job, food, band, movie, restaurant, vacation spot might change in a few years.<\/p>\n 3. Memorability<\/b> \u2014 we enter passwords relatively often, but it\u2019s rare we have to answer security questions. Even if you remember the name of your first-grade teacher when you\u2019re a teenager, you may have forgotten it by the time you\u2019re in your thirties \u2014 or sixties \u2014 so try not to choose questions whose answers you\u2019re likely to forget in a decade or two.<\/p>\n 4. Simplicity<\/b> \u2014 some questions have multiple correct answers. Where was your first kiss? That might be \u201cNew York,\u201d \u201cNew York City,\u201d \u201cNYC,\u201d \u201cCentral Park,\u201d or at least a few other options. Don\u2019t give yourself easy options to fail; avoid questions you might answer in a variety of ways.<\/p>\n 5. Choice multiplicity<\/b> \u2014 questions that require \u201cyes\u201d or \u201cno\u201d answers are terrible. Even a stranger has a 50% chance of guessing right! Good security questions can be answered in infinite ways \u2014 and you should be the only person who knows the right answer.<\/p>\n You\u2019ve probably seen some social media surveys or quizzes inviting you to wax nostalgic and share the \u201cfirst 7 places I worked\u2026\u201d or \u201cyour first airplane trip\u2026.\u201d Those are a treasure trove for social engineers. Actually, they often originate with criminals.<\/p>\nBeware social media phishing<\/h3>\n
![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/09\/06021557\/myfirstsevenjob-flashmob-is-bad.jpg\")
<\/a><\/p>\n