Here’s how I can get your password if you share the make of your first car…

shape
shape
shape
shape
shape
shape
shape
shape
password security
Where were you for the start of the millennium?
What was the model of your first car?
What’s your royal wedding guest name?

It’s all good fun, right? These kind of posts often go viral. We share some fun facts about our lives, our friends do it too, we all learn something new about each other. We interact, find common ground, find things to talk about. It’s got nothing to do with my password.

The last one is particularly fun. When we combine information like this we can come up with some hilarious names. Look at some of the answers, they are great:

Combining your grandparents name, first pets name and street you grew up on gives some funny results.

It’s just a bit of fun. It’s harmless information. The information itself has no classification – it’s not a secret, it can be freely shared, there’s no harm done.

But wait – what’s this?

Office 365 Password Reset Security Questions
Microsoft Azure default security questions

That’s the list of default security question to enable self-service password reset in Microsoft Azure AD. Microsoft Azure AD is the authentication service for Microsoft Office, which might be your email system. Or, it might be your work email system. If you look through that list, you’ll see “maternal grandmother’s name”, “street you grew up on” and “name of first pet”.

Always Networks’ customers will always be configured to use additional information other than security questions for password resets, to mitigate this.

So, by coming up with your hilarious Royal Wedding Name, you’ve inadvertently posted the answer to three of your security questions online.

Social Engineering is a real threat. It’s one of the most common ways to obtain access to systems. It comes in many forms, from phoning you up pretending to be your ISP, to turning up in person pretending to fix the water cooler, to putting “fun things” online to get you to divulge information.

The three examples referenced above are certainly not intentional social engineering attacks. The next one you fill out might be though. And whether it was intentional or not, the fact stands: the information is in public.

It’s not hard to use a search engine and collate information about someone. Within an hour, you can search through a persons Twitter, Facebook, LinkedIn, Instagram, and anywhere else they have a presence. You put your first car on one day, then three months later the street where you grew up, six months later your first school. All of this information is still there, and can be found and collated.

Once someone has all that information, there are plenty of places you may have used it. What’s your memorable word for your bank?

Think about what information you share online.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.