Why secret questions are your No. 1 security flaw

Flickr user Garry Knight

(MoneyWatch) Every time a bunch of websites gets hacked, we find out that many people still use ludicrously unsafe passwords ("password," "123456," and "letmein" are just a few notoriously insecure examples). Even though I am certain none of my readers do anything that foolish, you might be making another mistake that has exposed your accounts to any motivated hacker: You're using the secret security question the way it was designed to be used.

Here's what I'm talking about. Suppose you always use strong, virtually uncrackable passwords and ensure that every account you own uses a different password; that way, if one account is hacked, the damage is contained. Great! You're doing everything right.

But when you enter the secret security question -- the security measure that lets you reset a password if you forget it -- you pick "the city you were born in," "the best man at your wedding," or "the name of your first pet." These are all things that can be discovered by a motivated hacker. They're especially vulnerable to discovery by people you actually know -- spouses, friends, relatives, business partners. And if a relationship goes sour, your accounts might hang in the balance.

What should you do? Use the security questions, to be sure. In most cases, you don't much have much choice in the matter since websites insist you fill out one or two of them. But you should answer the questions "incorrectly," using a pattern or system only you know. You'll need to take care, and will probably need to make a record of these secret answers somewhere secure (it's hard to remember lies -- just ask any criminologist), but it's worth the slight additional risk.

Photo courtesy of Flickr user Garry Knight