Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

49 comments on “The Death of the Security Question”

  1. Ever since I read an article on LastPass in 2013, I answer security questions with LastPass Generated passwords. I store them in the comment section of the LastPass entry for that site, unless it is on a separate screen that can save it like a password. I answer these security questions differently for each sites. so that the same question doesn’t lead to the same answer. The exception is if my wife and I have separate accounts at the same place (e..g bank). I’ll use the same answers for the security question, which I consider secure since our user names and actual passwords are different. I also feel comfortable answering all the security questions with the same LastPass generated password if they will allow it, knowing that no one will guess it, and my main password is a different LastPass password. While it means I do have look up the security question answer in the LastPass comment, rarely do these precautions slow me down (unlike 2nd factor authentication which does slow me down). Since LastPass allows local login, I can retrieve my security question answers anywhere in the world off of my phone. I don’t have texting on my phone, so my alternate E-mail is always another E-mail account that I can usually get to. Here’s the LastPass article: https://blog.lastpass.com/2013/06/your-answers-to-security-questions-should-be-random-too.html/ on answering security questions using LastPass.

    So just checked my Outlook account and it does go to my gmail account for security codes; not texting.

    Reply
    • I did this once in frustration for a site that just wouldn’t let me create a user name and password without finding something wrong with it. I would think this would be as secure as anything. It would be a real problem if you are ever separated from your password manager.

      Reply
      • Actually as long as you know your LastPass credentials, you are never away from you password manager. I can log on to LastPass on any computer in the world and use their web interface to access my passwords.

        Reply
  2. And if you plan on traveling out of the country, make sure you use a few email addresses and that at least one of those recovery addresses doesn’t require a recovery email to access it internationally.

    Reply
  3. A few years ago Sarah Palin’s email account was hacked, because she used recovery questions whose answers eventually became public information.

    Reply
  4. I remember reading about a hacking/social engineering challenge in which a guy – an IT security guy, actually – was told that, at some point during the next 3 months, somebody would attempt to obtain the information necessary to steal his identity. And, yes, even though he knew it was coming, he was still caught out.

    The hacker/social engineer turned out to be a pretty young lady who sat next to him in a coffee shop. The first thing she did was ask him to watch her laptop and backpack while she went to the bathroom. A while later, he then did the same thing and asked her to watch his laptop and backpack while he went to the bathroom. As soon as he’d left the table, she pulled his wallet from his backpack and used her phone to snap photos of his bank cards, drivers license, etc., etc. Then, after he’d returned, a friendly 10-minute chat was sufficient for her to be able to elicit the names and ages of his kids, the name of their pets, etc., etc. – pretty much everything she needed to be able to answer likely security questions.

    She ended up with enough information to be able to access his online accounts – including his bank accounts – calculate his social security number and, basically, take over his identity.

    Interestingly, when asked why he’d left his laptop and backpack with her, he said it wasn’t because he trusted her; rather, it was because he felt too embarrassed to pack it up after she’d trusted him.

    Reply
    • I only have to ask *one* question: Why was he so stupid as to leave his *wallet* in a backpack??

      If I offend, oh, well, but this habit is not a habit, it’s idiocy and being completely stupid, as well!

      Just my $0.02.

      Reply
      • I think the takeaways are that anybody can make a dumb mistake and the fact that we behave predictably – or unpredictably when faced with an unusual situation – can be used against us. If somebody seems to trust us, we don’t want to be appear rude by not trusting them – and that’s maybe especially true if you bring in other factors (such as attraction). It’s a predictable behaviour. Similarly, pickpockets supposedly often work in the vicinity of BEWARE OF PICKPOCKETS! signs. People see the sign and check that their wallet is still in their pocket – which, of course, shows the pickpocket which pocket it’s in. Again, it’s a matter of our predictable behaviour being used against us.

        Reply
        • Howdy Ray!

          Sorry, but I think that you might have misunderstood me. I was not talking about a predictable or unpredictable situation. Nor was it about “trust.” (Though I do agree with your explanations.) My question/comment was about how stupid it is to have a *wallet* in any place other than a pocket/purse. It’s like someone decided to write down all their passwords on paper, then leave it sitting open on their desk instead of a pocket/locked cabinet/other very secure place, then whine about how it was stolen/copied while they went to the restroom – stupid, in my opinion. “Why be so stupid with their wallet?” is the question.

          Again, just my $0.02 worth.

          Reply
          • “My question/comment was about how stupid it is to have a *wallet* in any place other than a pocket/purse.” – Actually, I usually keep mine in a backpack (which is never left unattended, of course!). Unless I decide to start wearing roomier pants or invest in a man-bag/purse, it’s the only comfortable option!

            “It’s like someone decided to write down all their passwords on paper, then leave it sitting open on their desk.” – People do that all the time. I once visited an office that enforced password complexity, age and history rules. Basically, the staff had to come up with a new and complex password once every month that was dissimilar to previously used passwords, a minimum of 16 characters in length and which didn’t contain any part of their account or display name. Pretty much every desk had a post-it note stuck somewhere.

  5. Although I have a gmail account, I don’t use it as my main email. I use one that while I do have to pay for it, the fee is quite nominal, about $8.00 a year. I never have any problems with getting onto my account, other than having to log into it if I’m on a different computer, and then I always open a private window so that my information is deleted once I’m done. My answers to any security questions have always been similar to what Leo said about my mother’s maiden name. The key to those questions is that it always has to be something that you will remember.

    Reply
  6. Do you have any articles aimed squarely at the dangers of those “which hobbit are you” type posts? I have several friends who could use a smack upside the head on this one. I’m not sure they’d “get it” based on this article alone.

    Thanks.

    Reply
    • This article hits the subject pretty squarely. It covers much more, of course, but everything you need to know about the subject of Facebook quizzes is included here.

      Reply
    • “Do you have any articles aimed squarely at the dangers of those “which hobbit are you” type posts?” – I think “dangers” is probably too strong a word. While FB quizzes/games may be inane and irritating, they’re not really dangerous – and they’re certainly not being used as a mechanism to mine the answers to security questions. Look at it this way: if the developer of “Which Game of Thrones Character are You?” happens to discover your mother’s maiden name…so what? Knowing that her maiden name was Wigglesthorpe or Shufflebottom or whatever does them no good whatsoever unless they also know the name of your bank, what your card number is *and* have access to your email account.

      The majority of these quizzes/games are completely harmless and simply enable the developers to make money via embedded ads – really no different to the ads you see on AskLeo! or on any other website. Some of the games/quizzes do, however, collect personal information and use it in way that some people may not be comfortable with, for example:

      http://www.nytimes.com/2009/03/26/technology/internet/26privacy.html?_r=2&em

      Reply
      • The danger lies in the permissions those games require. Playing the game my be harmless (although some might not be), but when you complete the quiz, they offer you the opportunity to post the results on Facebook. Often they ask for more permissions than are needed to simply post the results, and they get access to your entire friends list and other things they can data mine.

        Reply
        • “I think the people who originate these quizzes do it for the express purpose of gathering security answer questions.” – I don’t mean to sound disrespectful, but that’s really quite an absurd claim to make. Do you have a single shred of evidence to support that it’s actually happening?

          Why on earth would the developers of “Which Muppet are You” want to know the maiden name of Henry Hoosierdaddy’s mother? What good would it do them? There is absolutely nothing that can be done with the information unless they also 1) know which bank Henry uses; *and* 2) know his bank card number; *and* 3) have access to the account/device to which a password reset link would be sent. Plus, of course, even if each of those boxes were to checked, it still relies on Henry having answered the quiz questions accurately.

          As I said, these quizzes are very often designed to make money for the developers – but that money is made from ads and/or (possibly) selling the statistical/demographic information that’s collected. It’s *not* made by harvesting the answers to security questions and then tracking down and hacking peoples’ bank accounts.

          Reply
  7. As Leo noted, security questions simply want a character string match; orange for your mother’s maiden name works just fine. These are another opportunity to use strong password guidelines regardless of the question. When challenged, most folks can remember their answers – assumed true and accurate – to questions like “mother’s maiden name” or “favorite book.” But when ‘BlueQuarkWaterQixxlyDogma’ matches the character string for the name of your first pet, you’re good to go. Granted, you must have a method to remember all your various answers, but until some hack-proof system is in place I don’t mind the added complication.

    Reply
    • You may not mind the extra hassle a nonsensical security question answer entails, but this second factor is being imposed for exceptional logins or exceptional actions in response to people having their accounts hacked. Articles are still coming out about people using 12345678 as their password. You may not feel people should be protected against themselves, but a large number of hacked accounts could severely hurt a website’s reputation. These websites are caught between a rock and a hard place.

      Reply
  8. Back when FB first came out, I started the process of setting up an account and I stopped when it asked me, “OK, tell us about yourself, what’s your favorite movie?” and I gasped! I thought, “I just answered that question as a security measure on another website! I actually thought this new Facebook thingy was a scam and they were trying to trick me! :P

    What’s strange is that many, many users still have those things posted on their FB pages, like favorite movies, books, music, etc. My real friends already know this about me. I’ve chosen not to list those facts for public consumption.

    Reply
  9. “A best practice for security questions and answers, by the way, is to have answers that have no relationship to the question.” – Interestingly, research by Google found that this approach may not enhance security at all: “A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.”

    http://research.google.com/pubs/pub43783.html

    Reply
  10. when i answer those questions i treat it like a password. “what was your mother`s maiden name?”
    answer…. G567h3c. if you use an actual word, like Leo has pointed out before, there are programs that can figure out the word.
    of course it has to be written down to remember it. but i don`t check my emails anywhere but home anyway.

    Reply
  11. Gmail stopped alowing windows live mail on windows 10 to pick up my Gmail. I eventually change my setting on Google to allow insecure apps Now windows live mail picks up my gmail account.
    How great a risk is this to my security?

    I hope this is not too far off topic. I do appreciate what I am seeing on Ask Leo

    Reply
  12. Hi Leo. Regarding passwords, the advice is “never write your password down and leave it next to your PC”. I think a better solution is “never write your actual password down and ….” I suggest people write down some word or sequence of characters that helps them remember their actual password; what they write only has meaning to them. If I wrote “my password is IOWA” or “my password is 17 v’s”, that would have some meaning to me and I bet you would not be able to guess my password based on what I wrote down. Every time I change my actual password I write down a different phase so I actually do not follow the same scheme. Any thought on this approach?

    Reply
    • So long as it enables you to remember complex passwords/phrases, it’s a great strategy.

      I actually use a single strong password/phrase for all logins – $tupidOldRay99, say – but then modify it slightly by prefixing with the first two letters of the name on the site on which it’s to be used. So, for example, my password for Amazon would be AM$tupidOldRay73 and for Gmail it’d be GM$tupidOldRay99.

      In theory, somebody with access to a number of my passwords could probably work out the pattern, but, realistically, it’s probably as secure as any other methodology.

      Reply
  13. Leo, your answers are good…..from an individual that’s been in IT for 31 years. In fact as an example of this, when asked “What is your Mother’s maiden name?” I answer something no one could possibly guess. And you suggest the same thing. Thank you for your great advice to everyone!

    Reply
  14. I don’t understand why people list security questions honestly. It’s not a test! I use replies like “Lady Gaga” or “Sam Spade.” They don’t have to be real

    Reply
  15. Just today I was helping a guy at work. Our IT department has launched a self-managing password system to reset your mainframe account if you lock yourself out, and yes, they use security questions. I showing him how to set up his security questions. The questions are predefined. You pick X number of questions from a list of Y possible questions. This guy was having hard time picking questions because his father didn’t have a middle name, his first phone number including area code was before we used area codes, and the questions that required city name answers all had the same answer, and the system didn’t like him using the same answer on multiple questions. I suggested he just make up answers, but he was afraid he wouldn’t be able to remember the fake answer when the time came to answer the question.

    Reply
  16. While security questions do represent a weakness, it’s a relatively minor weakness, IMO. Security questions nowadays are used only really used to authenticate password reset requests, with the reset links being then sent via email or text. Consequently, so long as the accounts/devices to which the reset links are properly secured – in other words, protected by a strong password – it doesn’t matter too much whether or not somebody knows or can guess the answer to a security question.

    Reply
    • That’s kind of my point – systems are moving away from security questions. They’re rarely used – as you say only in account recovery. Even then many systems no longer use them at all. I believe that’s because they were not secure enough in practice.

      Reply
      • I’m sure you’re right. In fact, all current mainstream forms of authentication are very problematic. I suspect that biometric authentication will be the eventual solution.

        Reply
  17. When I go abroad, I always keep my mobile phone numbers active. Anyone can still reach me by sms including my bank and email service providers.

    Reply
  18. Leo:

    You started out well when you described how the only reason you are using Hotmail in a far away place is because you do not have access to your mobile, your computer with POP/IMAC mail etc. Then you miss the point entirely by praising Microsoft for putting these convoluted procedures in place that defeat the whole aim of an internet based email account; that is, for basic communication when you cannot use your normal accounts. Hotmail is essentially useless now so I do not bother with it anymore, but thankfully Yahoo and GMail are for the time being still usable in that role.

    Reply
    • Hotmail was actually useless *before* because it was so often hacked. Ask Leo! used to be swarmed, daily, by questions (an mean comments) from people whose accounts were hacked. Not only did they lose everything, but their reputations were often harmed by the activities of the hackers, and everyone in their contact list was mercilessly spammed. Those complaints are pretty much gone now. So you choose: previously if a person did not set up their security and recovery options correctly they were hacked. Today if a person does not set up their security and recovery options correctly they are inconvenienced while traveling. Either way, the responsibility is on each account user to set up their account properly.

      Reply
  19. “A best practice for security questions and answers, by the way, is to have answers that have no relationship to the question. Your mother’s first name may be “Orange” and that is completely nonsensical but they don’t care as long as you can provide the right answer to that question if it gets asked to you in the future.”

    I don’t like this suggestion because it is easier to remember the truth rather than a “creative” answer. My memory certainly isn’t getting any better with age.

    Reply
    • “I don’t like this suggestion” – Nor do I, for a number of reasons: 1) It isn’t necessarily more secure (see the link I posted previously); 2) security questions are simply used to send password reset emails so, unless somebody also has access to your device/email account, it really doesn’t matter whether or not they know the answers to the questions; and 3) perhaps most importantly, you could find yourself unable to regain access to an account if you forget both the password and the fake answer to the security question.

      Reply
    • I don’t have to remember my fake answers – I store them in my password manager.

      Ray Smith: Security questions aren’t always just for sending password reset emails – and I am much less bothered by the ones that do use them this way. I always use a random password as my answer, because some web sites still use these answers to allow direct access to your accounts, which I consider to be an inexcusable security risk.

      Reply
          • That problem for LastPass wasn’t really problem if one had a very secure master password, which I have. I did not change any passwords after that hack.

            Like the other poster said, I’m not trying to eliminate risk. I’m just trying to reduce it while being convenient for me to be productive. And I do think that putting security questions in LastPass is much less risky than making up things that I may not remember.

          • @Samir To be clear, I’m not knocking LastPass. It’s a solid product that works well and the company’s response to that security incident was excellent. I’m simply make the point that no software is 100% safe and secure.

            The question here, however, is not whether you should store fake answers to security questions in a password manager; it’s whether using fake answers instead of real answers makes you more secure. And I don’t think it does. Let’s pretend you’re a bad guy and learn that my mother’s name was Cholmondeley-Bennett and that my first pet was called Genghis. In fact, let’s pretend that you also learn my home address and that I bank with Credit Suisse. Where does that information get you? The answer is nowhere. There’s absolutely nothing you can do with it.

            Using fake answers doesn’t make you more secure; it simply makes it more likely that you’ll encounter account-access problems.

        • Of course – but that is a different topic altogether. I do believe that the risk of using a password manager is less – and more manageable – than the risk of not using one. Nothing is 100%, you just try to stay informed and do the best you can. Thank you for the link.

          Reply
          • “I do believe that the risk of using a password manager is less – and more manageable – than the risk of not using one.” – Maybe, maybe not. I’m presently able to remember complex passwords quite easily and, obviously, and this is the most secure option. However, should my aging brain shrink to the point that I’m no longer able to remember complex passwords, then I’ll either have to stop using complex passwords or start using a password manager – and the password manager would obviously be the more secure option.

            Security is all about establishing which mechanisms enable you to best manage risk. And that’s not going to be the same for everybody.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.