Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How to Choose Good Security Questions

Question: What does it mean when a job application requests a “Password Recovery Question” as well as “Password Recovery Answer”? (in addition to the other password)? What should I enter?

Password recovery questions, more commonly called security questions (or secret questions and answers), are used to verify you as the legitimate owner of an online account when you’ve forgotten your password or are otherwise trying to recover an online account.

Apparently, in filling out your online job application, you created such an account. More commonly, security questions are associated with email, banking, and social media accounts.

I’ll look at how they work, when they’re needed, how they fail, when you can make up your own, and what to do if you can’t.

And perhaps most importantly, why you shouldn’t use them at all, if you have a choice.

Become a Patron of Ask Leo! and go ad-free!

How security questions work

The idea is simple: when you create an account, you provide the answer to a question of a personal nature; ideally, a question only you know the answer to. That answer is recorded, and should you ever need to confirm that you are the legitimate account holder, they ask you that question. If your answer matches what you originally entered, you “pass”.

Question markUsually, you’re given a set of stock questions to choose from — things like “What was your mother’s maiden name?”, “What was your favorite childhood pet?”, “What was your high school mascot?” and so on. You choose one, answer it, and that’s the one that will get asked should it be needed in the future.

Some account providers have you answer several questions. When the time comes to use them, they may select one, or they may insist you answer all of them correctly.

When security questions are used

The single most common use for security questions is to recover or reset your password.

The scenario is what you might expect: you forget your password, so you click the “I Forgot My Password” link on the account sign-in page. The service asks you your account recovery questions, and if you get them right, you’re allowed to set a new password.

Some services require additional security measures; perhaps answering those questions correctly triggers a password reset email sent to the email address on record. Perhaps other steps are involved. But answering those questions correctly provides evidence that you are you: you are the person who set up, and therefore owns, the account.

Password recovery is not the only time these questions might be used. They can be used any time a service needs additional verification that you are you. Perhaps a system detects “suspicious behavior”. Maybe you’ve cleared cookies and the website needs to re-verify your identity.

Why security questions fail: reason #1

The single biggest failure related to security questions?

Forgetting the answers.

This used to surprise me. People regularly create accounts and put in nonsense answers to the password recovery questions. Perhaps they’re in a rush and don’t want to take the time. The problem is that when they need to recover their password and can’t answer the questions, they are totally and completely out of luck.

Lesson #1: don’t forget the answers.

Why security questions fail: reason #2

Security questions aren’t as secure as you might think.

We don’t realize how much of our personal information we unintentionally “leak” via social media. Someone can answer our security questions with just a few minutes of research.

It’s not hard to figure out my mother’s maiden name. I’d be surprised if anyone knew the name of my favorite childhood pet, but it’s not hard to figure out what high school I went to, and from that, determine the mascot.

Lesson #2: security questions aren’t very secure. That’s why they’ve fallen out of favor with many online services. If you have a choice, avoid them and use more secure options, like two-factor authentication, alternate email addresses, text-able phone numbers, or recovery codes.

Make your own security question

Normally, you choose from a set of pre-determined questions; it’s rare to be allowed to make up your own.

If you have the option to make up your own question, use it. Make up a question only you can know the answer to — it doesn’t even have to make sense! “What’s the difference between a pencil?”1 is a great password recovery question, as long as you and only you will always remember that the answer is “Godzilla” (or whatever).

More commonly, people choose questions that make sense and relate to their answers. The important thing is to create a question only you can answer.

Make your own answer

When it comes to security questions, only two things matter:

  • Only you know the answer
  • You will always know the answer

That’s it.

Nowhere does it say that the answer has to make sense or even be intelligible. All the system checks is that the answer you give is the same as the one you gave when you set it up.

So go ahead and set your mother’s maiden name to something like “Microsoft”2. It’s a completely nonsensical answer that no one is likely to recover via research. Just be prepared to remember it when you need it.

The answers don’t have to make sense.

They just have to match.

Security questions as passwords

Next to avoiding security questions completely, if you can, the next most secure way to use them is to treat them as passwords.

I mean that quite literally. They don’t have to make sense; they just have to match when needed.

Just like a password.

So instead of setting up some kind of nonsensical answer to the question, set it to something completely random, like “K4nRawvDc3vAQtvh7dTz” — a 20-character string just generated by my LastPass password generator.

But then prepare for the day you need it: save it somewhere — perhaps in the notes accompanying the entry for that account in a password vault like LastPass. That way, as random and impossible to remember as it is, you’ll always be able to find it when you need it.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: A question I was actually asked in a grade school test. I don’t remember the class, but hope it was some kind of creative writing exercise.

2: OK, don’t set it to Microsoft, since we just used that as an example. Set it to something like Microsoft — equally nonsensical, and something you’ll remember forever.

27 comments on “How to Choose Good Security Questions”

  1. I just wish there was some standard. I dislike sites that try to be more secure by asking *ONLY* things like “my favorite book”, “color’, “place to take a vacation”.

    Those are not set things, and if it is a site I only visit on a semi-annual basis or less, there can be real problems for me forgetting both my password AND what my favorite book was a year or two ago.

    For the same reason, I’ve never tried non-sense answers. I wonder, would it be a bad practice if I give the same nonsense answer to EVERY question on EVERY site?

    Reply
    • I certainly would not give the same answer at different sites. I have it made up by LastPass and save it in LastPass (together with the question).

      Reply
      • In Fact that is a particularly bad Idea.
        If one site gets hacked we have different passwords at each site so the “Bad Guys” cannot just use your password at other sites. The next step would be to use your answers at other sites.
        Just imagine what a hacker will think when they see all 5 of your questions have the answer: Google#999 (of course you would have something different but if all the answers were the same, hackers will certainly try to reset other sites with the same answers.
        1 non sense questions if you can
        2 non related (different) answers
        3 no related to the site or other site answers
        4 disable this stupid option if possible and use a strong password and manager

        Reply
  2. how about the same answer for all security questions..ie joe that way you really don’t have to remember anything well except ‘joe’ of course.

    Reply
  3. The first time I encountered a security question it was one that only lets you choose from a list of like 5 or 6. I got mad because I live in a small town and there are at least a dozen people in my life that could easily answer any of those 5 questions. I know the probability is low for something like that to happen, but hey it’s far more likely that they’ll guess that answer then them guessing my password.

    As for using the same answer on all sites…that’s been my solution and it’s better than trying to use the same password. Once I tried to develop a “financial password” for myself and it was a good one. Letters, numbers, special characters and length. It was good until I tried to use it at more than one site. Most sites have some type of password policy and it’s nearly impossible to use a good, cryptic password on multiple sites. Grrrr.

    Reply
    • OMG… no never reuse a password.
      That was so 2000.
      If you use the same “Super-duper great” password on multiple sites, all you need is one to get hacked and the rest are now compromised.
      And the hackers will likely get through testing all you sites long before you get to change all your passwords.
      You are effectively lowering your level of security to the level of the weakest site.
      And if that is also you primary e-mail well just say goodbye to your life.

      Reply
  4. Most sites have a similar list, so I have a standard nonsense answer for “maiden name”, “favorite pet” and so forth, none of which are based in reality. Nothing beats my cheat sheet, though – every time I generate a password or answer, I put it in a handwritten file in a safe place.

    And vivek, your yahoomail password is “I’m asking this in the wrong place”.

    Reply
  5. “The single biggest failure? Forgetting the answers. – By far. – This surprises me too”

    Why does it surprise you? I think you’re missing the point. I don’t forget the answer because I entered a nonsense answer, but because the question was a nonsense question – one that simply doesn’t have a unique or memorable answer for me.

    Favourite pet? Didn’t have one. First teacher? Can’t remember. Favourite movie? I have lots, but in a few weeks time I’m not going to remember which particular one I chose as my favourite today.

    Unless there is an opportunity to define your own question, the system is deeply flawed.

    My surprise comes from the fact that it’s so important, and people apparently don’t understand just how important it is or they would pick something that they would make absolutely sure they could remember – regardless of whether it made sense or not.

    Leo
    24-Nov-2010

    Reply
  6. You could follow Dogbert’s technical advice about passwords.
    Client: “Help. When I type my password, the computer replaces whatever I type with asterisks”
    Dogbert: “Then change your password to all asterisks”

    Reply
  7. I store all my passwords and secret questions in an encrypted file on my computer with a backup in Dropbox. The only password I need to remember is the one to open TrueCrypt, and that is one that would be nonsense to everyone but myself, and one that I will never forget.

    Reply
  8. As one reader pointed out, there are others who would know the answer to at least some of your security questions. For this reason, I always answer the questions incorrectly, but I always remember the answers I gave.
    For example, if asked for my mother’s maiden name, I answer instead my grandmother’s maiden name. There are others who would know this, too, but what they don’t know is that I answered it incorrectly.

    Reply
  9. One the biggest things I have about these questions is that most of the information that these questions ask about is things that my close friends know about me. That is fine so long as these people are my true friends. This can become a great liability if one of these friends becomes something else, such as spouse to ex-spouse. Now, with his/her intimate knowledge of you and your family can be used to get access to places you no longer want to let the person get access to (“Now, what did they call his/her grandfather? Oh, yeah, Mr. Graveson! Ok, Mother’s maiden name is…”). Changing your password to keep them out does not prevent them access when they can just access these stupid questions, added in the name of security, which actually open your account to abuse, and in many cases there is nothing you can do about it, but lie, which makes it harder to remember and for many is unethical.

    Reply
  10. I am amazed that people are still commenting that the questions do not have an answer for the (first pet) or are all things that their friends know. They missed the obvious comment in the article “there’s nothing that says your answer has to make sense”.

    It doesn’t have to make as much sense as “Evelyn Treacher” for first pet. (google her name and pet), a “pet” name for another person, or ANYTHING that you can remember.

    Reply
  11. @ausGeoff

    You give a great suggestion which Leo mentions in the article. I agree and it’s something I’ve been doing. I have one nonsense answer to all security questions. The problem is, I’ve been on the Internet for over 10 years now and I’ve answered dozens of security questions. Typicaly, I choose what my favorite movie is and you can bet if I ever set up a Facebook account, I won’t be posting any of my “favorite” things there…but I digress. My problem now is, when I’m asked to answer my security question I don’t remember if I used the real answer or the nonsense answer. With only 3 guesses available on most sites, that gets a little frustrating. Fortunately, I don’t see it that much but when I do see it, I find myself getting frustrated with the whole process.

    In my opinion, no solution is flawless. For example, if this hasn’t happened yet, it will. A site will require us to answer 2 or 3 questions (some already do that) and if you put the same answer in, it will deny us and say, “two answers can’t be identical”. The day that happens to me, I’m going to contact that webmaster and he’ll get an earful.

    Reply
  12. Some sites use the security questions as one of the options for password recovery. The other options I’ve seen are alternative email address, or cellphone number. Hopefully a person who gains access to one of your email accounts wouldn’t gain access to all, unless you use the same password for all. Therefore if you can successfully ask for a password re-set to be sent to your alternative email address, you won’t be prompted to answer your secret questions.

    Reply
  13. everytime i try to log in they keep asking me for my password , when i put it regect,how can i make it work ?

    If it’s rejecting your password, then your password is wrong. Perhaps your account has been hacked into and the password changed.

    Leo
    27-Dec-2011
    Reply
  14. I have “Safe Notes” on my phone to keep track of a lot of notes for things like this. My wife has the password to it, in case she ever has to see them.

    Reply
  15. After forgetting my answers to security questions, I finally came up with this trick:

    My answers to the security question is the last word of the question spelled with either the first or the last letter in upper case.

    For example if the question is :

    What is your favorite meal?
    Ans. Meal or meaL

    What is your first dog’s name?
    Ans. Name or namE

    I don’t think the machine has the AI capability of checking whether the answers are meaningful or not, am I right Leo?

    Reply
    • As the article explicitly states all the machine cares about is that you give the same answer later. I have ot admit, yours seem fairly simply, and possibly prone to being hacked by a human, though, if they were motivated.

      Reply
  16. To Armando G Dias: One problem with your idea is that the answers may not be be case sensitive. Therefore Meal, meaL may be the same to the site.

    Reply
    • I hope you meant something like LadyGaga and not literally LadyGaga otherwise, you’ve just told millions of people the answer to your secret questions :-) .

      Reply
  17. The best strategy I’ve found is to pick a friend and answer how they would. This way (1) the answers aren’t true in regards to you, which makes the answer a lot more difficult to guess because there are infinite wrong answers and (2) makes it easy for you to remember.
    Mother’s maiden name: Friends last name
    Old address: Their address
    Pet’s name: Their pet
    etc. etc.
    This stops someone from googling the answers, which is a big step up and it makes it harder even for someone who knows you.

    Reply
    • @ Helpful Tip

      I still think using a ‘Pets name’ etc of say a friend might still be possible for someone to guess. so if someone has a account of higher importance I would avoid doing that personally.

      the most secure option is just to have a password manager generate a long random bunch of characters (preferably 20+ characters) and just store that info in the password manager accordingly. because doing this, there is simply no way someone is going to guess that and you don’t have to worry about forgetting it either since it’s stored in the password managers database file. just make sure to have multiple backup copies of the password managers database file in case the main device your using dies out of no where you can still easily restore the password managers database file onto another device and proceed to use like normal. because you definitely don’t want to lose that file.

      I figure if one is going to slack-off a bit and does not want to use a password manager, one could write down some half way decent answers to those questions on a piece of paper and store it in a secure location. like for example, for ‘Pets name’ one could answer something like “!DogNameHere!!DogNameHere!” (without the “) (or variations of stuff like that, like… “DogsNameHereDogsNameHere@!@DogsNameHere”) as that gives you a bit of padding and won’t be too easy for someone to guess either and would not be too difficult to remember/type. because even if a person used a their own pets name for the answer, at least using a little padding and listing the name twice for example will give you some level of protection from someone guessing your security questions.

      or if you still insist on the method you use, I would at least add in a bit of padding to it. so if someone is trying to enter simple names in a attempt to hack your account, they will likely fail. for example, you said “Mother’s maiden name: Friends last name”. but instead try something like… “Mother’s maiden name: FriendsLastName$$_$$” as that way you should get a decent improvement in security for minimal effort on your part as just putting in a name still seems a bit so-so if you ask me in terms of security. but with this, unless you can remember your padding scheme, it will be best to write it down on paper somewhere and store it in a secure location should you ever forget it.

      Reply
      • That padding is a good idea. Of course, more complex answers would be more secure but adding even one padding character or duplicating the name would confound almost all attempts to guess. for example FidoFido or *fido but to be extra secure, your idea is something I’ll do. For example fido”fido. I hope hackers don’t read your comment.

        Reply
        • Yeah, I figure with humans being humans, once something goes beyond a certain level of effort to achieve, people tend to take the easier way out. but I figure if someone is going to slack off a bit, which many will, at least try to come up with a decent padding scheme that you can pretty much remember but won’t be too easy for someone else to guess along with a decent answer I would imagine would make someones security ‘good enough’, especially if their password itself is half way decent and nothing too easy like 123456 or 1qaz2wsx and the like. hell, I suspect one could do alterations to security questions like ‘mothers maiden name’ like add a bit of padding but instead of saying MothersMaidenName, one could do something like MMmothersMaidenNameee along with their padding scheme as in general they say the longer the better. but I imagine once someone reaches a certain length their password becomes secure enough.

          because while stuff like Diceware (i.e. https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt ; six words seems to be the recommended minimum which is basically about the equivalent in entropy to 12 random characters… 77.5bits vs 78.7bits) and using dice to generate random 20+ character passwords using theworld.com/~reinhold/dicewarefaq.html under the “How do I use dice to create random character strings?” section is top notch, since there is a fair effort required, since one has to physically roll dice etc, I suspect many will opt for a easy way out which will lower security. but I figure the standard Diceware passphrase is more practical since it’s easier to type/remember and one can always use their password manager to generate really long passwords (i.e. say 20+ characters). but if for whatever reason someone does not trust the randomness of their password manager to generate say 20+ character passwords, one could always opt for that site I linked to above which with three dice one can roll those pretty much 20 times to get a 20 character random password using all keys on the keyboard as even if one omits the ‘spacebar’ (which brings it down from 95 characters to 94 possible characters) it has minimal effect on password security.

          for the record… I got the idea for padding from basically grc.com/haystack.htm (about half way down the page towards the end of it “How can I apply this to my daily life?”) and then one can tweak things to their liking. How can I apply this to my daily life?

          but with all of that said… it seems like as long as someones password/passphrase/security questions are not TOO weak, chances are they will be okay as, from what I hear, for the common person, those hacker types tend to go for the ‘low hanging fruit’ as they say with minimal effort on their part. so knowing this, as long as someone comes up with a half way decent way to pad their passwords (and the like) chances are their security will be at least a bit above the ‘low hanging fruit’ range and might keep them secure enough. but still, for those can’t afford to fall into the wrong hands kind of accounts online people should not slack off with those and use a password manager or Diceware and the like etc.

          you said, “for example FidoFido or *fido but to be extra secure, your idea is something I’ll do. For example fido”fido. I hope hackers don’t read your comment.”

          even with this stuff I would get a little more complex (I would likely avoid just the simple answer listed twice and would want at least a fair amount of padding in it before I would start to feel a little more confident it won’t be hacked) as the more stuff you add to it, the less likely someone would be to guess and security would increase basically. like… “fido,fido!!@!!fidoooooooo” (without the ” (although one could use the ” if they want)).

          another thing comes to mind… I would avoid using the same padding scheme for multiple accounts because say one became compromised, it’s possible they could use the basic padding scheme wrapped around easier to guess passwords etc.

          or to keep things more practical…. come up with a decent password with some fairly long padding for ones master password to a password manager and then let the password manager do the rest with the login/password info along with any possible ‘security questions’ etc as this way the password manager will give you long complex stuff that will be nice and secure and you don’t have to remember. because I figure with a half way decent password that someone is not likely to guess, call it something like 10-20 characters in length but add on quite a bit of padding, which is not too difficult to remember(as one can always write it down somewhere if they need to), one can stretch that decent password(I would suggest at least one upper case letter, lower case letter, a number and a symbol) of say 10-20 characters in length out to be much more secure with say 30-40-50 characters in length etc as even if someone is trying to brute force, they have no idea how long the password is and if they try shorter length passwords then obviously they will never guess it and being if a person puts in at least one number, symbol, upper and lower case it sort of forces them to try a lot more possible combinations which lowers their chances of guessing it within a reasonable time frame as here is something I read over on that GRC haystack link…

          “The use of every type of character forces the attacker to search through the largest possible space. We must always assume that an attacker is as smart as possible (and most are). So, knowing that 41.69% of all passwords consist of only lowercase alphabetic characters, a smart attacker who is forced to resort to a brute force search won’t initially bother spending time guessing passwords that contain uppercase, digits and symbols. Only after an all lowercase search out to some length has failed will an attacker decide that the unknown target password must contain additional types of characters.

          So, in essence, by deliberately using at least one of each type of character, we are forcing the attacker to search the largest possible password space, because our password won’t ever be found in any of the smaller spaces.”

          Reply
          • Longer passwords are stronger than more random passwords and that applies to recovery question and answers. An ASCII brute force attack will crack a randomized 12-character password quicker than a 20-character password composed of a few unrelated words including the name of the website so you have a different password for each website, and if you begin each word with a capital letter, and substitute 0 (zero) for the letter o, 2 for the word to etc., you’ve got a good password. I don’t do that because I let LastPass take care of passwords, so I get length and complexity.
            This article explains that:
            How Do I Choose a Good Password?

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.