What was your mother’s maiden name? Where did you and your spouse first meet? What was the model of your first vehicle?
You probably don’t need me to explain what these three questions have in common. They are all examples of the top ten security questions for password recovery. Although, it would make more sense to call them “the top ten most insecure security questions.”
Let me explain.
Security questions are an effective way to recover or add an extra layer of security to your accounts. But only if you know how to make smart use of them.
What’s Wrong With Popular Security Questions?
Long story short, answers to most security questions are too easy to guess. Ok, maybe not “guess” but they are definitely quite simple to uncover with a little googling. Take your mother’s maiden name, for example. With good motivation in place, anyone can easily find the answer by making a few search queries. Is a family member or close friend looking for the answer? Well, the task has just got even easier.
What’s the birth month of your first child? This one is even worse as there are only 12 possible answers. How much time do you think it will get for a “hacker” to try them all?
What was the model of your first vehicle? If, for some reason, an old friend is guessing, this question is hilariously easy to answer. Even if it’s someone who doesn’t know you personally, remember there are only so many models of cars and social media has been around for over a decade. It might take some time to guess, but the process won’t last forever, if someone is savvy enough to do some digging into your background.
Face it: if someone is really interested in breaking into your account (this could be an angry ex, jealous spouse, or a hacker), popular security questions will not likely stop them. Especially, if the secret questions and answers you picked can hardly be called “secret.”
How to Choose Good Security Questions
Luckily, there are security questions best practices. Follow them to minimize the risk of someone using your secret questions as an “entry ticket” to your accounts.
Good security questions meet the following criteria:
- It’s evergreen. Make sure to pick the question for which the answer never changes. If the answer you picked is true today but won’t be so in five years, go pick another one. Choose something timeless.
- It’s easy for you to remember. What’s the point of coming up with a really strong security question if you won’t manage to keep it in your head for more than a few days? Don’t forget you’ll need to remember not only what you wrote but also how you wrote it. Most systems are punctuation- and capitalization-sensitive.
- It’s hard for everyone to guess. By “everyone” here, I mean your close friends and family members, too. Don’t pick something obvious like your natural hair color, the breed of your dog, or your favorite music genre (after all, people can easily check your profile on Apple Music or view what artists you follow on Twitter or YouTube).
- There are countless possible answers. If there are only so many possible answers to a question you pick, you’d better choose another question. Months, seasons of the year, names of countries, colors, dog breeds—the number of options is limited, which means that eventually, a hacker can type in the correct one. Of course, you can invent your own name of the month or color, but there’s a problem with this approach, too. What’s the problem? Reread tip number two.
- It’s not something people can ask you just for fun and hear the answer without you becoming suspicious. That’s why “What was your nickname at school?” or “What part of your body you don’t like?” questions are not secure. This is something people can easily find out during a casual conversation.
Extra Tips on How to Pick Strong Security Questions
There are a few more tricks you can use to make the most out of security questions system.
You can provide answers that are not true (but only if you’re sure you can remember them long-term).
Alternatively, you can put your best creative foot forward and modify the answer to even the simplest question in a way people will never be able to guess (again, you should only try it if you can remember the answer yourself). For example, you can write the word in a non-standard way or answer in a foreign language.
If allowed, come up with your own security questions and make sure it isn’t trivial. In most cases, questions that are unique are harder to guess. You can type something like “What was your favorite cheat meal at school?” and answer something like “vanilla ice cream with Oreo bites.” If that’s what you used to eat for real, you won’t have problems memorizing the answer, while some stranger will not manage to guess more than “ice cream.”
Make use of password managers to safely store your super creative and hard-to-remember passwords.
What’s your experience with using security questions?