Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Can I Use a Password Manager for My Security Questions?

//
How do password managers handle random security questions?  I’ve never seen this mentioned in any of the articles that I have read.  Am I still going to have to maintain a readily available list of security question answers?

Not surprisingly, password managers are all about passwords. More specifically, they’re about automatically saving and entering your username and password when you need to log in. When it comes to security questions, often also referred to as “secret questions” — well, that’s just not their job.

But that doesn’t mean they can’t help.

Become a Patron of Ask Leo! and go ad-free!

Summary

  • Password managers are good at identifying usernames and passwords, but can’t reliably identify security questions.
  • Security questions were originally intended to be about things you just know, without aid.
  • We now recommend treating security question answers like passwords.
  • Secure-note features in password vaults can be used to keep track of your responses.
  • Fortunately, security questions are falling out of favor.

Recognizing what’s happening

Password managers work by recognizing when you’re being asked to log in. They analyze the webpage you’re looking at, and when they notice a log-in field — and specifically when they notice a password field — they begin their work.

If there’s an entry associated with the current website, the password manager offers to fill in the username and password fields for you, or just does so automatically. If you enter information that differs from what’s currently stored in your vault, or there’s no entry there at all, they offer to save what you’ve entered for later use.

Security questions are different. Security questions are just plain text-entry fields that password managers can’t identify as even being security questions. There are also several different styles of fields, including drop-down lists of possible questions, different ways of answering those questions, and possibly even taking multiple webpages to work through.

They’re just beyond the capabilities of password managers to reliably identify and manage for you.

You should just know the answers

The idea behind security questions was that they would be questions about things only you would know, but that, indeed, you would readily know. The common example is your mother’s maiden name. Most of us know this with barely a thought, but others are much less likely to.

Of course, this approach is imperfect. It’s certainly possible to research the answers to common security questions for a specific individual. With a little legwork, I’m certain that my mother’s maiden name could be discovered, for example. The same is true for most common security questions.

As a result, security folks now recommend you make up answers. The only requirement is that when you’re asked the same question in the future, you give the same answer as before. I might specify that my mother’s maiden name was “Microsoft”,  and as long as I provide that same answer in response to the question in the future, it doesn’t matter that it’s a complete falsehood.

In other words, we now advocate you treat security questions like passwords1. But we don’t have tools like password vaults to help us in this regard — at least not directly.

Keeping track

There is one way that some password vaults can help keep track your made-up answers.

If your password manager has a “Secure Note” feature, you can keep a free-form note in the encrypted vault where you list and keep track of all the questions and answers manually.

Secure Note

Yes, you’ll have to maintain and refer to this note manually. But since your password manager is always available, it takes just a few quick clicks to open the note and read or update its contents. (If you prefer to have different answers for each site, and if your vault supports a per-entry notes field, you can keep them there instead.)

You can feel secure that the information is being kept just as secure as the log-in information kept there.

Security questions are falling out of favor

The good news is that security questions are falling out of favor, mostly for the very reason I highlighted above: when answered truthfully, the answers are often easy to guess or research.

While many sites will continue to use security questions for some time to come — mostly because they’re easy — the trend is to move to different security measures. Some form of additional or two-factor authentication is the most common.

Regardless, since they’ll be with us for some time (albeit on fewer and fewer sites), using your password vault as a secure repository for the information will help you keep track of the fake answers that make your security questions more secure.

Podcast audio

Play

Video Narration

Footnotes & references

1: Taken to an extreme, it’s quite possible to specify that your mother’s maiden name (or other security answer) is something like “K5rhts87w4McPVwFqK2A”.

13 comments on “How Can I Use a Password Manager for My Security Questions?”

  1. I use RoboForm for URLs and userids and passwords and I use it to answer the security questions. Usually, I merely find the correct entry in RoboForm and click on FILL. I have answers defined in RoboForm by website I am visiting and the question. In most cases its just a few clicks and I have answered the security question and I don’t even remember the answers.

  2. Security questions should be treated like passwords – use a different one for each account. For example, I have twenty three (23) accounts, therefore I have twenty three (23) “mother’s maiden names,” none of which are her real name. I keep them in the notes section of my password manager.

  3. In Lastpass, my security questions are with my login information under Notes: I copy the Question then the answer to go with it. that way all I have to do is go to that site, and location copy and paste answer.

  4. Last Pass also has a “Note” field if you go to Edit Site. That way the stored security question answer is specific to that site. Another way to handle this is pick some obscure word or name and use that as an answer to all questions. I use my mother’s maiden name as an answer to all security questions. That makes it easy to remember. Anyone trying to guess my “first automobile” will be unlikely to guess my mother’s maiden name.

    • This is what I do, have a different set of security questions for each site. I usually choose it to be a pronounceable password. I do not repeat security answers except sometimes for both me and my wife at the same place (e.g. our separate accounts at the bank have the same answers to the security questions). I feel very secure because of this, and of course, I trust LastPass a lot.

  5. I’m one of those whose mother maiden name very much like “K5rhts87w4McPVwFqK2A” in one website and something
    similar on the other. If you use KeePass, storing extra security questions it’s so easy even I can do it.
    When you store your Login name and Password, underneath you list your security questions and the corresponding answers,
    the questions are visible you can highlight it just by clicking on it and then copy the password by clicking on an icon (looks like a key)
    then just paste it on your login page.The security questions are not filled in automatically but that is just a minor inconvenience.
    The beauty of KeePass is that you can put a different background color on each of your password logins

  6. The Advanced tab of Kee Pass lets you add any number of codes or references you might need, about anything : online accounts, software, hardware…

    The answer to security questions can be stored there (and you can activate the in-memory protection). Of course, maiden names and such should never be names, just random passwords. Otherwise, they would be vulnerable to dictionary attacks.

    That’s the place I put my software licence numbers, my smartphone IMEI, my hard drive serial numbers, the false name and addresses I use for various accounts, recovery codes, etc. All those get secured and backed up the same way passwords are secured and backed up.

  7. DBA Steve has the right idea. And it is possible for LastPass to do the same thing, often without mouse clicks or the keyboard.

    LastPass can automatically fill out the security question field on many
    sites.

    The url on a security question page is usually different from the login credentials page. So we can fill in the answer to the security question on this page and then click “Save the Site” in the LastPass dropdown menu. In “Advanced Settings” on the new site, we check off Autologin and click Save.

    If the security page of the site comes up in the next login attempt,
    Lastpass will fill in the security answer automatically and, in many
    cases, take us to the login page. LastPass will then fill in the
    credentials and take us to the main site directly, or after we click Login.

  8. In LastPass, as mentioned above by Drinen and Gilersleeve, the site that has the password has an area for notes, so you do not have to have a separate note to hold the security question answers. I have also taken to putting the date of the password change and the date I made up the security question answers so I have some idea how old they are. This is also useful in the instances when there are multiple entries in LastPass for the same site (I am not sure how that happens).

  9. I get the appeal of two factor authentication, but many websites that encourage using it, assume you have a cellphone. Well I don’t have a cellphone. I have no need for one. Security questions work better for me.

    My bank has just forced implementation and they will let you use a landline to receive a voice message with the code in it. That sounds okay. But when we travel, if I need to access my account, and the bank decides they need to verify my ID, how is the bank going to call me? The bank says that if I make my laptop a trusted device, then they shouldn’t ask me to verify my ID while traveling. That actually makes no sense to me. If my laptop logs in to the bank’s website from an unknown location, wouldn’t the risk of fraud be higher until they can verify that it is me? The bank tells me not to worry, but I do.

    I liked it better when we verified our ID with security questions or an email to an email address previously supplied to the website.

    • If you set your computer as a trusted device, the bank has a method of recognizing that computer each time it tries to log in and doesn’t require a second factor as the computer itself is the second factor. There is no higher a risk of fraud than any other second factor authorization method as anyone trying to log in to your account would either need to access the site from your computer of other method such as your cell phone. And if the bank tells you not to worry, I’d trust them as they are responsible for any breach of your account.

  10. I use Lastpass. In the Notes field for that particular login I list the security questions and, for each response have Lastpass generate a random password. That way all responses are different between questions and between sites. Just be sure to disable special characters in the password generator since most sites won’t accept them in the security answers. I’m sure you can do this in the other password managers as well.

  11. I use KeePass, and EVERY SINGLE PASSWORD ENTRY has a corresponding “Notes” field — separate and distinct for EACH and EVERY password entry, AND encrypted along with it — below the “URL” field.

    That’s where I store such things as credit card expiration dates, the “800” number for the card company, and YES — any Security Questions (and, of course, their corresponding Answers!).

    This of course holds true with NON-credit-card sites, as well.

    I really recommend KeePass — there’s even a Plug-In available that changes the encryption from the default AES, to Twofish. (This is something I STRONGLY recommend, because if ANY encryption algorithm is under attack, it’s AES, because it’s so ubiquitous. They who crack AES will rule the world! So, best to use something else — that way, they may rule the rest of the world, BUT NOT YOU.)

    Hope this helps! 🙂

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.