Last night I went to www.AnnualCreditReport.com, the site set up by the FTC for checking your credit report once a year for free. That site then sends you to the three credit rating companies, each of which buries links to credit report under a mound of offers for their credit monitoring services.
The worst of these agencies, from a security standpoint, is TransUnion. They require you to create a username and password, plus a password recovery question.
A password recovery question is essentially a secondary password that’s a whole lot easier to guess than the primary password. Sarah Palin’s Yahoo email account got hacked into by someone who could guess a few personal details that anyone in her home town would know.
Last year, TransUnion let me create my own password recovery question. This year, they’ve disabled that, so I had to choose from one of their questions. Every single question is something that a high school acquaintance might know about me and could be guessed from public records. Mother’s maiden name. Father’s middle name. High school mascot. The street I grew up on. If you’re from a small town, everyone in the town would know these things about you.
Now consider that you use your TransUnion password exactly once a year. If you don’t choose a good password, for example if you reuse the same password for every website you visit, it’s easy for someone to get a list of all your credit cards, bank accounts, loans, and mortgages. If you do choose a good password, you’re almost certain to not remember it. So the password recovery question is your password. (What’s the right thing to do? Choose a really cryptic password like A2LCA6BVW3 and keep it in your wallet. And don’t mix up your O’s and zeroes or ones and ells!)
So what should Sarah Palin and all the other small-town folks in America do? Go to AnnualCreditReport.com and use the mail-in form.