How to Choose and Answer Security Questions

To help you keep your online accounts safe, most web and cloud services have you answer a number of security questions. You are asked a few things that you know, and that you can remember–such as your first pet’s name, or your mother’s maiden name–so you can access your account and prove your identity, if you forget or lose your password.

Yet sometimes these security questions are too simple, and the answers you provide may be things that people can find out about you far too easily in a web search or on social media. You may tweet a photo of your first dog, and mention that his name was Rex. You may post on Facebook that you met your second grade teacher, Mrs. Harrison. And your mother’s maiden name may be so widely used that anyone who hacks into a large database of user information could find it.

Fortunately, there are ways to get around this. This post explains how to choose the best security questions you should answer, and how to securely answer them so no one can figure them out.

Read the rest of the article on the Mac Security Blog.

2 thoughts on “How to Choose and Answer Security Questions

  1. I largely agree with the end of your article, Kirk, but I see things differently in the first two thirds. I think the whole security question system is based on a fantasy and a fallacy. You mention that the standard security questions are designed to be _memorable_, but the memoribility works only in very narrow confines, and most of the questions are the antithesis of memorable, on a longer time scale. There are very few among the standard questions that are memorable over a lifetime, or even the life of an average Internet account. Asking a 60-year-old about their favorite elementary school teacher may or may not ring a bell, but first movie and first airplane flight destination are unlikely to be remembered by anyone of any age, after they have seen a few hundred movies and taken dozens of flights. The first thing I learned to cook? Unless we are talking about mud pies at the age of three, I haven’t the ghost of a clue. For younger people, asking a favorite song or music group may be clear for six months at a time, (when all their friends will know the answer, too), but how many remember what their favorite song was five years ago? In the Internet age, many of us don’t have “favorite” anythings, preferring variety and constant discovery over repetition. The standard security questions are likely to stay in the human’s memory for a very short time, while their utility putrifies in the online databases, so they serve mostly to lock people out of their own accounts. This requires a lengthy account reset, during which the security questions slow or abort the process, rather than aiding it. Frequently forgotten security questions are not only inconvenient, but a major security risk, since the option of resetting everything opens large opportunities to people trying to hack the account. I don’t know why companies insist that THEY should pick the security questions, but they are doing a bad job. The system works poorly, on both the security and customer support sides.

    Your suggestions of adding a few extra letters to an answer, such as “Snnnufffles” and “Mazzzzda” are likely to add to the problem. In three years, are you going to remember whether you added three “z’s” or four? Whether you doublee/tripled the letter ‘n’ or the letter ‘u’? I’m not. Nor am I likely to remember the way that I chose to lie on these questions. Answers like this increase security, but the decrease memoribility. I’ve got dozens of online accounts, so keeping clever systems of tricking the security question system is a looser’s game.

    The best answer, as you say, is to use a password manager. It’s annoying to have to type in both the questions and the answers for each site, but it’s the only way that works, long term. I hope the security industry recognizes that their approach to security questions is hopelessly broken, and needs to be replaced.

  2. I largely agree with the end of your article, Kirk, but I see things differently in the first two thirds. I think the whole security question system is based on a fantasy and a fallacy. You mention that the standard security questions are designed to be _memorable_, but the memoribility works only in very narrow confines, and most of the questions are the antithesis of memorable, on a longer time scale. There are very few among the standard questions that are memorable over a lifetime, or even the life of an average Internet account. Asking a 60-year-old about their favorite elementary school teacher may or may not ring a bell, but first movie and first airplane flight destination are unlikely to be remembered by anyone of any age, after they have seen a few hundred movies and taken dozens of flights. The first thing I learned to cook? Unless we are talking about mud pies at the age of three, I haven’t the ghost of a clue. For younger people, asking a favorite song or music group may be clear for six months at a time, (when all their friends will know the answer, too), but how many remember what their favorite song was five years ago? In the Internet age, many of us don’t have “favorite” anythings, preferring variety and constant discovery over repetition. The standard security questions are likely to stay in the human’s memory for a very short time, while their utility putrifies in the online databases, so they serve mostly to lock people out of their own accounts. This requires a lengthy account reset, during which the security questions slow or abort the process, rather than aiding it. Frequently forgotten security questions are not only inconvenient, but a major security risk, since the option of resetting everything opens large opportunities to people trying to hack the account. I don’t know why companies insist that THEY should pick the security questions, but they are doing a bad job. The system works poorly, on both the security and customer support sides.

    Your suggestions of adding a few extra letters to an answer, such as “Snnnufffles” and “Mazzzzda” are likely to add to the problem. In three years, are you going to remember whether you added three “z’s” or four? Whether you doublee/tripled the letter ‘n’ or the letter ‘u’? I’m not. Nor am I likely to remember the way that I chose to lie on these questions. Answers like this increase security, but the decrease memoribility. I’ve got dozens of online accounts, so keeping clever systems of tricking the security question system is a looser’s game.

    The best answer, as you say, is to use a password manager. It’s annoying to have to type in both the questions and the answers for each site, but it’s the only way that works, long term. I hope the security industry recognizes that their approach to security questions is hopelessly broken, and needs to be replaced.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.