Security questions are a common method of retrieving access to secure online accounts to which you may have forgotten or lost a password or username. If used well, they can provide you with a convenient backup method to restore access to your account. However, using weak or easily guessed answers to security questions can create a vulnerability in your accounts that would be better avoided.
Since using weak security questions and answers can create an additional vulnerability in your account security, you should take care with your security questions. When creating/choosing them and keeping them secure, treat them with similar security practices as you would an account username and password.
Here are some tips on using strong security questions to keep your accounts safe and under your control.
Typically, the security questions presented to users to reset forgotten passwords must meet the following characteristics:
- Memorable -- The user must be able to recall the answer to the question, potentially years after creating their account.
- Consistent -- The answer to the question must not change over time.
- Applicable -- The user must be able to answer the question.
- Confidential -- The answer to the question must be hard for an attacker to obtain.
- Specific -- The answer should be clear to the user.
Questions and answers that do not feature these characteristics should be avoided. Here are a few examples of weak security questions, and why they shouldn’t be used:
|Weak Security Questions||What’s the issue?|
|When is your date of birth?||Can be easy for a stranger to discover.|
|What is your favorite movie, song, etc.?||Likely to change over time.|
|What is your favorite sports team?||Could be easy to guess based on geography or alumni status.|
|What is the make and model of your first car?||Fairly small range of likely answers.|
On the other hand, here are some examples of better security questions that may be harder for an attacker to crack:
|Stronger Security Questions||Why use these instead?|
|What is your oldest sibling’s middle name?||Typically more difficult for others to research.|
|What was the first concert you attended?||The answer is obscure and not prone to change.|
|In what city or town did your parents meet?||Another obscure answer that may be more difficult for a stranger to figure out.|
A good rule of thumb: if someone can guess the answer to your security question based on your public social media profiles (Facebook, LinkedIn, etc.), avoid using that question and answer.
Security questions can be handy in a pinch, but they are not foolproof. That’s why, for another layer of security in addition to security questions, you should add Multi-Factor Authentication (MFA) to your account.