Not surprisingly, password managers are all about passwords. More specifically, they’re about automatically saving and entering your username and password when you need to log in. When it comes to security questions, often also referred to as “secret questions” — well, that’s just not their job.
But that doesn’t mean they can’t help.
Become a Patron of Ask Leo! and go ad-free!
- Password managers are good at identifying usernames and passwords, but can’t reliably identify security questions.
- Security questions were originally intended to be about things you just know, without aid.
- We now recommend treating security question answers like passwords.
- Secure-note features in password vaults can be used to keep track of your responses.
- Fortunately, security questions are falling out of favor.
Recognizing what’s happening
Password managers work by recognizing when you’re being asked to log in. They analyze the webpage you’re looking at, and when they notice a log-in field — and specifically when they notice a password field — they begin their work.
If there’s an entry associated with the current website, the password manager offers to fill in the username and password fields for you, or just does so automatically. If you enter information that differs from what’s currently stored in your vault, or there’s no entry there at all, they offer to save what you’ve entered for later use.
Security questions are different. Security questions are just plain text-entry fields that password managers can’t identify as even being security questions. There are also several different styles of fields, including drop-down lists of possible questions, different ways of answering those questions, and possibly even taking multiple webpages to work through.
They’re just beyond the capabilities of password managers to reliably identify and manage for you.
You should just know the answers
The idea behind security questions was that they would be questions about things only you would know, but that, indeed, you would readily know. The common example is your mother’s maiden name. Most of us know this with barely a thought, but others are much less likely to.
Of course, this approach is imperfect. It’s certainly possible to research the answers to common security questions for a specific individual. With a little legwork, I’m certain that my mother’s maiden name could be discovered, for example. The same is true for most common security questions.
As a result, security folks now recommend you make up answers. The only requirement is that when you’re asked the same question in the future, you give the same answer as before. I might specify that my mother’s maiden name was “Microsoft”, and as long as I provide that same answer in response to the question in the future, it doesn’t matter that it’s a complete falsehood.
In other words, we now advocate you treat security questions like passwords1. But we don’t have tools like password vaults to help us in this regard — at least not directly.
There is one way that some password vaults can help keep track your made-up answers.
If your password manager has a “Secure Note” feature, you can keep a free-form note in the encrypted vault where you list and keep track of all the questions and answers manually.
Yes, you’ll have to maintain and refer to this note manually. But since your password manager is always available, it takes just a few quick clicks to open the note and read or update its contents. (If you prefer to have different answers for each site, and if your vault supports a per-entry notes field, you can keep them there instead.)
You can feel secure that the information is being kept just as secure as the log-in information kept there.
Security questions are falling out of favor
The good news is that security questions are falling out of favor, mostly for the very reason I highlighted above: when answered truthfully, the answers are often easy to guess or research.
While many sites will continue to use security questions for some time to come — mostly because they’re easy — the trend is to move to different security measures. Some form of additional or two-factor authentication is the most common.
Regardless, since they’ll be with us for some time (albeit on fewer and fewer sites), using your password vault as a secure repository for the information will help you keep track of the fake answers that make your security questions more secure.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,