Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How to Choose Good Security Questions

//
What does it mean when a job application requests a “Password Recovery Question” as well as “Password Recovery Answer”? (in addition to the other password)? What should I enter?

Password recovery questions, more commonly called security questions (or secret questions and answers), are used to verify you as the legitimate owner of an online account when you’ve forgotten your password or are otherwise trying to recover an online account.

Apparently, in filling out your online job application, you created such an account. More commonly, security questions are associated with email, banking, and social media accounts.

I’ll look at how they work, when they’re needed, how they fail, when you can make up your own, and what to do if you can’t.

And perhaps most importantly, why you shouldn’t use them at all, if you have a choice.

Become a Patron of Ask Leo! and go ad-free!

How security questions work

The idea is simple: when you create an account, you provide the answer to a question of a personal nature; ideally, a question only you know the answer to. That answer is recorded, and should you ever need to confirm that you are the legitimate account holder, they ask you that question. If your answer matches what you originally entered, you “pass”.

Question markUsually, you’re given a set of stock questions to choose from — things like “What was your mother’s maiden name?”, “What was your favorite childhood pet?”, “What was your high school mascot?” and so on. You choose one, answer it, and that’s the one that will get asked should it be needed in the future.

Some account providers have you answer several questions. When the time comes to use them, they may select one, or they may insist you answer all of them correctly.

When security questions are used

The single most common use for security questions is to recover or reset your password.

The scenario is what you might expect: you forget your password, so you click the “I Forgot My Password” link on the account sign-in page. The service asks you your account recovery questions, and if you get them right, you’re allowed to set a new password.

Some services require additional security measures; perhaps answering those questions correctly triggers a password reset email sent to the email address on record. Perhaps other steps are involved. But answering those questions correctly provides evidence that you are you: you are the person who set up, and therefore owns, the account.

Password recovery is not the only time these questions might be used. They can be used any time a service needs additional verification that you are you. Perhaps a system detects “suspicious behavior”. Maybe you’ve cleared cookies and the website needs to re-verify your identity.

Why security questions fail: reason #1

The single biggest failure related to security questions?

Forgetting the answers.

This used to surprise me. People regularly create accounts and put in nonsense answers to the password recovery questions. Perhaps they’re in a rush and don’t want to take the time. The problem is that when they need to recover their password and can’t answer the questions, they are totally and completely out of luck.

Lesson #1: don’t forget the answers.

Why security questions fail: reason #2

Security questions aren’t as secure as you might think.

We don’t realize how much of our personal information we unintentionally “leak” via social media. Someone can answer our security questions with just a few minutes of research.

It’s not hard to figure out my mother’s maiden name. I’d be surprised if anyone knew the name of my favorite childhood pet, but it’s not hard to figure out what high school I went to, and from that, determine the mascot.

Lesson #2: security questions aren’t very secure. That’s why they’ve fallen out of favor with many online services. If you have a choice, avoid them and use more secure options, like two-factor authentication, alternate email addresses, text-able phone numbers, or recovery codes.

Make your own security question

Normally, you choose from a set of pre-determined questions; it’s rare to be allowed to make up your own.

If you have the option to make up your own question, use it. Make up a question only you can know the answer to — it doesn’t even have to make sense! “What’s the difference between a pencil?”1 is a great password recovery question, as long as you and only you will always remember that the answer is “Godzilla” (or whatever).

More commonly, people choose questions that make sense and relate to their answers. The important thing is to create a question only you can answer.

Make your own answer

When it comes to security questions, only two things matter:

  • Only you know the answer
  • You will always know the answer

That’s it.

Nowhere does it say that the answer has to make sense or even be intelligible. All the system checks is that the answer you give is the same as the one you gave when you set it up.

So go ahead and set your mother’s maiden name to something like “Microsoft”2. It’s a completely nonsensical answer that no one is likely to recover via research. Just be prepared to remember it when you need it.

The answers don’t have to make sense.

They just have to match.

Security questions as passwords

Next to avoiding security questions completely, if you can, the next most secure way to use them is to treat them as passwords.

I mean that quite literally. They don’t have to make sense; they just have to match when needed.

Just like a password.

So instead of setting up some kind of nonsensical answer to the question, set it to something completely random, like “K4nRawvDc3vAQtvh7dTz” — a 20-character string just generated by my LastPass password generator.

But then prepare for the day you need it: save it somewhere — perhaps in the notes accompanying the entry for that account in a password vault like LastPass. That way, as random and impossible to remember as it is, you’ll always be able to find it when you need it.

Podcast audio

Play

Video Narration

Footnotes

1: A question I was actually asked in a grade school test. I don’t remember the class, but hope it was some kind of creative writing exercise.

2: OK, don’t set it to Microsoft, since we just used that as an example. Set it to something like Microsoft — equally nonsensical, and something you’ll remember forever.

20 comments on “How to Choose Good Security Questions”

  1. I just wish there was some standard. I dislike sites that try to be more secure by asking *ONLY* things like “my favorite book”, “color’, “place to take a vacation”.

    Those are not set things, and if it is a site I only visit on a semi-annual basis or less, there can be real problems for me forgetting both my password AND what my favorite book was a year or two ago.

    For the same reason, I’ve never tried non-sense answers. I wonder, would it be a bad practice if I give the same nonsense answer to EVERY question on EVERY site?

    Reply
    • I certainly would not give the same answer at different sites. I have it made up by LastPass and save it in LastPass (together with the question).

      Reply
  2. how about the same answer for all security questions..ie joe that way you really don’t have to remember anything well except ‘joe’ of course.

    Reply
  3. The first time I encountered a security question it was one that only lets you choose from a list of like 5 or 6. I got mad because I live in a small town and there are at least a dozen people in my life that could easily answer any of those 5 questions. I know the probability is low for something like that to happen, but hey it’s far more likely that they’ll guess that answer then them guessing my password.

    As for using the same answer on all sites…that’s been my solution and it’s better than trying to use the same password. Once I tried to develop a “financial password” for myself and it was a good one. Letters, numbers, special characters and length. It was good until I tried to use it at more than one site. Most sites have some type of password policy and it’s nearly impossible to use a good, cryptic password on multiple sites. Grrrr.

    Reply
  4. Most sites have a similar list, so I have a standard nonsense answer for “maiden name”, “favorite pet” and so forth, none of which are based in reality. Nothing beats my cheat sheet, though – every time I generate a password or answer, I put it in a handwritten file in a safe place.

    And vivek, your yahoomail password is “I’m asking this in the wrong place”.

    Reply
  5. “The single biggest failure? Forgetting the answers. – By far. – This surprises me too”

    Why does it surprise you? I think you’re missing the point. I don’t forget the answer because I entered a nonsense answer, but because the question was a nonsense question – one that simply doesn’t have a unique or memorable answer for me.

    Favourite pet? Didn’t have one. First teacher? Can’t remember. Favourite movie? I have lots, but in a few weeks time I’m not going to remember which particular one I chose as my favourite today.

    Unless there is an opportunity to define your own question, the system is deeply flawed.

    My surprise comes from the fact that it’s so important, and people apparently don’t understand just how important it is or they would pick something that they would make absolutely sure they could remember – regardless of whether it made sense or not.

    Leo
    24-Nov-2010

    Reply
  6. You could follow Dogbert’s technical advice about passwords.
    Client: “Help. When I type my password, the computer replaces whatever I type with asterisks”
    Dogbert: “Then change your password to all asterisks”

    Reply
  7. I store all my passwords and secret questions in an encrypted file on my computer with a backup in Dropbox. The only password I need to remember is the one to open TrueCrypt, and that is one that would be nonsense to everyone but myself, and one that I will never forget.

    Reply
  8. As one reader pointed out, there are others who would know the answer to at least some of your security questions. For this reason, I always answer the questions incorrectly, but I always remember the answers I gave.
    For example, if asked for my mother’s maiden name, I answer instead my grandmother’s maiden name. There are others who would know this, too, but what they don’t know is that I answered it incorrectly.

    Reply
  9. One the biggest things I have about these questions is that most of the information that these questions ask about is things that my close friends know about me. That is fine so long as these people are my true friends. This can become a great liability if one of these friends becomes something else, such as spouse to ex-spouse. Now, with his/her intimate knowledge of you and your family can be used to get access to places you no longer want to let the person get access to (“Now, what did they call his/her grandfather? Oh, yeah, Mr. Graveson! Ok, Mother’s maiden name is…”). Changing your password to keep them out does not prevent them access when they can just access these stupid questions, added in the name of security, which actually open your account to abuse, and in many cases there is nothing you can do about it, but lie, which makes it harder to remember and for many is unethical.

    Reply
  10. I am amazed that people are still commenting that the questions do not have an answer for the (first pet) or are all things that their friends know. They missed the obvious comment in the article “there’s nothing that says your answer has to make sense”.

    It doesn’t have to make as much sense as “Evelyn Treacher” for first pet. (google her name and pet), a “pet” name for another person, or ANYTHING that you can remember.

    Reply
  11. @ausGeoff

    You give a great suggestion which Leo mentions in the article. I agree and it’s something I’ve been doing. I have one nonsense answer to all security questions. The problem is, I’ve been on the Internet for over 10 years now and I’ve answered dozens of security questions. Typicaly, I choose what my favorite movie is and you can bet if I ever set up a Facebook account, I won’t be posting any of my “favorite” things there…but I digress. My problem now is, when I’m asked to answer my security question I don’t remember if I used the real answer or the nonsense answer. With only 3 guesses available on most sites, that gets a little frustrating. Fortunately, I don’t see it that much but when I do see it, I find myself getting frustrated with the whole process.

    In my opinion, no solution is flawless. For example, if this hasn’t happened yet, it will. A site will require us to answer 2 or 3 questions (some already do that) and if you put the same answer in, it will deny us and say, “two answers can’t be identical”. The day that happens to me, I’m going to contact that webmaster and he’ll get an earful.

    Reply
  12. Some sites use the security questions as one of the options for password recovery. The other options I’ve seen are alternative email address, or cellphone number. Hopefully a person who gains access to one of your email accounts wouldn’t gain access to all, unless you use the same password for all. Therefore if you can successfully ask for a password re-set to be sent to your alternative email address, you won’t be prompted to answer your secret questions.

    Reply
  13. everytime i try to log in they keep asking me for my password , when i put it regect,how can i make it work ?

    If it’s rejecting your password, then your password is wrong. Perhaps your account has been hacked into and the password changed.

    Leo
    27-Dec-2011
    Reply
  14. I have “Safe Notes” on my phone to keep track of a lot of notes for things like this. My wife has the password to it, in case she ever has to see them.

    Reply
  15. After forgetting my answers to security questions, I finally came up with this trick:

    My answers to the security question is the last word of the question spelled with either the first or the last letter in upper case.

    For example if the question is :

    What is your favorite meal?
    Ans. Meal or meaL

    What is your first dog’s name?
    Ans. Name or namE

    I don’t think the machine has the AI capability of checking whether the answers are meaningful or not, am I right Leo?

    Reply
    • As the article explicitly states all the machine cares about is that you give the same answer later. I have ot admit, yours seem fairly simply, and possibly prone to being hacked by a human, though, if they were motivated.

      Reply
  16. To Armando G Dias: One problem with your idea is that the answers may not be be case sensitive. Therefore Meal, meaL may be the same to the site.

    Reply
    • I hope you meant something like LadyGaga and not literally LadyGaga otherwise, you’ve just told millions of people the answer to your secret questions 🙂 .

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.