Account Security is Broken

I spend a lot of time talking about the virtues of strong passwords (or maybe passphrases) and twofactor authentication. I’ve written about promising new authentication technologies like passkeys. But in many cases, all of that is moot. Your account security is only as secure as its weakest link. And just about every account you have has a well-known “backdoor”.

Account Security’s Weakest Link

Putting a lock on your door is the accepted way to protect the contents of your house. In most cases, this is good enough, even though modern home locks are pretty easy to pick. In the virtual world, a strong password (when implemented properly) is much, much harder to crack – nigh impossible, actually.

So you did your research and bought the best deadbolt lock on the market. You have reinforced doors and door frames. There’s no glass panel in the door or right next to the lock. Great. But you also worry that some day you might forget or lose your key, so you need a backup plan. You hide a copy of your key somewhere around your house. Under a fake rock. In an external outlet box. On top of the porch light. Or, yes, under the doormat. All that other security no longer matters if someone can find that spare key.

The Account Recovery Backdoor

Similarly, most online accounts have some method to recover your account if you forget or lose access to your password. On the login form there’s a little link right by the password field labeled “Forgot your password?”. This will usually send a special, one-time link to your registered email account that will allow you to reset your password. It doesn’t matter if you have a 30-character random password with all types of characters – if you can get to that email, you can get into the account. Some accounts today may send a recovery link to your cell phone, too. SMS (text messaging) is also not terribly secure. In either case, this means that all of your accounts are now only as secure as your email or cell phone.

It gets worse, though. Many online accounts still allow you to recover your account by answering three magic questions. Many of these questions could be answered by someone who knows you well, or just follows you on Facebook. For financial accounts, they may use knowledge-based questions that are derived from your credit report – past addresses and accounts, mostly. Still, very guessable – though after so many data breaches, including Experian, that information isn’t hard for bad guys to find.

Strengthening the Weak Links

So, what can you do about this? First and foremost, make sure your email account is well protected. Use a strong, unique password and set up two-factor authentication. This applies to every email address you used to set up your online accounts, so you might review the accounts in your password manager to remind yourself.

If a website forces you to enter account recovery questions, I suggest you either lie or perhaps add some sort of prefix or suffix to every answer. For example, if the question is “what was the name of your elementary school” you can answer “NOT Jefferson” or “JJJefferson”. If you can concoct a methodology you can always remember, that’s fine. But you can also jot down your incorrect answers in the notes area of your password manager vault entry for that site. All you really need to be able to do is reproduce your answers on demand – they don’t have to be correct. If you really want to go nuts, you can generate random answers for every question.

But the bottom line here is that we need the ability to disable these much weaker account recovery options. Strong passwords and 2FA are great, but pointless if I can bypass them by getting into your email or by answering some simple questions. Similarly, moving all your accounts to passkeys is only increasing your security if you can then disable all other authentication methods. If they still keep a password as a backup access mechanism, then that means that site is still maintaining a shared secret that can be stolen and potentially cracked. That’s much less of a concern for me than email links and recovery questions, but it’s important to realize that adding strong authentication methods won’t increase your security unless you can remove weaker ones.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top