card

Why using password hints is a terrible idea

09.12.2024
116

In the early days of the internet, password hints were a common feature for recovering forgotten passwords. The idea seemed helpful at the time—if you couldn’t remember your password, you could answer a security question like "What’s your mother’s maiden name?" or "What was your first pet’s name?". However, as convenient as they may seem, password hints are now considered a significant security risk. Here's why relying on password hints is a bad idea and what you should use instead.

What are password hints?

Password hints were introduced to help users recover their passwords if they forgot them. These hints often come in the form of questions that the user is expected to know, such as personal details about their life. The assumption was that these questions could only be answered by the account owner.

Why password hints are a security risk

While password hints were designed to make password recovery more secure, they can have the opposite effect. The key problem is that password hints are not random, and the questions used are often predictable. Personal information like the name of your first school or your childhood address can easily be discovered by anyone who digs into your online profiles or even through casual conversations.

This makes password hints a prime target for social engineering attacks. For instance, someone might trick you into sharing information without you realising it. A seemingly harmless conversation where someone asks: "Hey, I grew up near Maple Street, where did you live?”, - could lead to them discovering the answer to your password recovery question.

Because these questions are so easily compromised, password hints increase your "attack surface" — the number of ways a hacker can try to access your accounts. Instead of adding security, they create more vulnerabilities that hackers can exploit.

Must read: Anonymous browsing practices: How to safeguard your online privacy.

The social engineering danger

Social engineering is a tactic where attackers manipulate people into giving away confidential information. Since password hints often rely on personal details, attackers can use social engineering techniques to obtain these answers without needing to hack into any system. For example, a quick glance at someone's social media could reveal their pet’s name or the school they attended. In some cases, hackers may even approach friends or family members to gather this information.

Because many of us openly share details about our lives on platforms like Facebook or Instagram, using password hints tied to personal information is a risky practice.

What to use instead of password hints

So, if password hints are unsafe, what’s the alternative? The best solution is to avoid them entirely. If a service requires you to provide a hint, consider using random gibberish or unrelated answers that hackers can’t guess. However, the ideal approach is to rely on password managers.

Password managers generate strong, random passwords and store them securely for you. This eliminates the need for password hints altogether because you won’t need to worry about forgetting your passwords. Many password managers also offer features like autofill and password syncing across devices, making them even more convenient to use.

Additionally, using a password manager ensures that your passwords are complex and unique, reducing the risk of brute force attacks or other password-based security threats. A strong password combined with multi factor authentication (MFA) offers a much more secure way to protect your accounts. You can also use a hide VPN to block hackers from intercepting and accessing your online activities.

In conclusion, password hints may have seemed useful in the past, but they now pose a serious security risk. With personal information easily accessible online, relying on password hints can make it easier for attackers to compromise your accounts through social engineering. Instead, using a password manager is a much safer and more effective solution. By generating and storing complex passwords, password managers offer a secure way to protect your online accounts without the vulnerabilities of password hints.