Password recovery questions, more commonly called security questions (or secret questions and answers), are used to verify you as the legitimate owner of an online account when you’ve forgotten your password or are otherwise trying to recover an online account.
Apparently, in filling out your online job application, you created such an account. More commonly, security questions are associated with email, banking, and social media accounts.
I’ll look at how they work, when they’re needed, how they fail, when you can make up your own, and what to do if you can’t.
And perhaps most importantly, why you shouldn’t use them at all, if you have a choice.
Become a Patron of Ask Leo! and go ad-free!
How security questions work
The idea is simple: when you create an account, you provide the answer to a question of a personal nature; ideally, a question only you know the answer to. That answer is recorded, and should you ever need to confirm that you are the legitimate account holder, they ask you that question. If your answer matches what you originally entered, you “pass”.
Usually, you’re given a set of stock questions to choose from — things like “What was your mother’s maiden name?”, “What was your favorite childhood pet?”, “What was your high school mascot?” and so on. You choose one, answer it, and that’s the one that will get asked should it be needed in the future.
Some account providers have you answer several questions. When the time comes to use them, they may select one, or they may insist you answer all of them correctly.
When security questions are used
The single most common use for security questions is to recover or reset your password.
The scenario is what you might expect: you forget your password, so you click the “I Forgot My Password” link on the account sign-in page. The service asks you your account recovery questions, and if you get them right, you’re allowed to set a new password.
Some services require additional security measures; perhaps answering those questions correctly triggers a password reset email sent to the email address on record. Perhaps other steps are involved. But answering those questions correctly provides evidence that you are you: you are the person who set up, and therefore owns, the account.
Password recovery is not the only time these questions might be used. They can be used any time a service needs additional verification that you are you. Perhaps a system detects “suspicious behavior”. Maybe you’ve cleared cookies and the website needs to re-verify your identity.
Why security questions fail: reason #1
The single biggest failure related to security questions?
Forgetting the answers.
This used to surprise me. People regularly create accounts and put in nonsense answers to the password recovery questions. Perhaps they’re in a rush and don’t want to take the time. The problem is that when they need to recover their password and can’t answer the questions, they are totally and completely out of luck.
Lesson #1: don’t forget the answers.
Why security questions fail: reason #2
Security questions aren’t as secure as you might think.
We don’t realize how much of our personal information we unintentionally “leak” via social media. Someone can answer our security questions with just a few minutes of research.
It’s not hard to figure out my mother’s maiden name. I’d be surprised if anyone knew the name of my favorite childhood pet, but it’s not hard to figure out what high school I went to, and from that, determine the mascot.
Lesson #2: security questions aren’t very secure. That’s why they’ve fallen out of favor with many online services. If you have a choice, avoid them and use more secure options, like two-factor authentication, alternate email addresses, text-able phone numbers, or recovery codes.
Make your own security question
Normally, you choose from a set of pre-determined questions; it’s rare to be allowed to make up your own.
If you have the option to make up your own question, use it. Make up a question only you can know the answer to — it doesn’t even have to make sense! “What’s the difference between a pencil?”1 is a great password recovery question, as long as you and only you will always remember that the answer is “Godzilla” (or whatever).
More commonly, people choose questions that make sense and relate to their answers. The important thing is to create a question only you can answer.
Make your own answer
When it comes to security questions, only two things matter:
- Only you know the answer
- You will always know the answer
Nowhere does it say that the answer has to make sense or even be intelligible. All the system checks is that the answer you give is the same as the one you gave when you set it up.
So go ahead and set your mother’s maiden name to something like “Microsoft”2. It’s a completely nonsensical answer that no one is likely to recover via research. Just be prepared to remember it when you need it.
The answers don’t have to make sense.
They just have to match.
Security questions as passwords
Next to avoiding security questions completely, if you can, the next most secure way to use them is to treat them as passwords.
I mean that quite literally. They don’t have to make sense; they just have to match when needed.
Just like a password.
So instead of setting up some kind of nonsensical answer to the question, set it to something completely random, like “K4nRawvDc3vAQtvh7dTz” — a 20-character string just generated by my LastPass password generator.
But then prepare for the day you need it: save it somewhere — perhaps in the notes accompanying the entry for that account in a password vault like LastPass. That way, as random and impossible to remember as it is, you’ll always be able to find it when you need it.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Footnotes & References
1: A question I was actually asked in a grade school test. I don’t remember the class, but hope it was some kind of creative writing exercise.
2: OK, don’t set it to Microsoft, since we just used that as an example. Set it to something like Microsoft — equally nonsensical, and something you’ll remember forever.