We all know we should create secure passwords. But, for all the time we spend worrying about our passwords, there’s a backdoor you never think about. The security questions/answers that you provide to get back into your account if you lose your password are usually easy to guess or find out in order to bypass your passwords.
Thankfully, many services are realizing security questions are very insecure and axing them. Google and Microsoft no longer offer security questions for their accounts — instead, you can recover an account using an associated phone number.
The Palin “Hack”
This isn’t just a theoretical problem. Sarah Palin’s Yahoo! email account was famously “hacked” in the run-up to the 2008 election. The “hacker” just used the password reset prompt and answered her security question. The question was where she met her spouse, and the answer — Wasilla High — was accessible with a quick Google search.
The Problem With Security Questions
This isn’t just a problem for Sarah Palin. When we set up accounts — from bank accounts to email accounts — we’re often asked to pick a security question and give an answer. Most of the time, we’ll be provided with a list of suggested common questions like “Where did you go to high school?” and “What is your mother’s maiden name?” Some websites allow you to create your own question, but many force you to choose from their list of suggested questions.
Some websites force you to set up multiple security questions and answers, which means you can’t just choose a single answer that’s easy to remember — you have to choose several different questions and remember all the answers.
The real problem with security questions is that the answers are usually obvious or easy to guess. The answer to “what is your favourite food” is only going to take a few guesses for a complete stranger “pizza, curry, chinese, thai, mexican” etc. The answers to many other security questions, from “What is your birthday?” to “Where did you go to high school?” are public knowledge, if anyone cares to look.
Just think for a minute how many other people already know the answers to your security questions?
I’m sure if I take a look at your facebook or linkedin profile or searched through your timeline or tweets, I can probably find the answer to those common security questions.
If you have ever posted this info online then it is quite likely it can be found with a simple Google search. Even if the answers aren’t public knowledge already, most normal people will openly share the answers to those questions in normal conversation, not realising the consequences, so it is very easy for any criminal to obtain this info with a simple bit of social engineering.
Security Question Basics
So as we have established, security question answers are also just easier to guess. For example, if the question is “What was the name of your first pet?”, it’s very easy to guess some common pet names. It doesn’t matter if your password is something as complex as “3&40$d#%$t#kteyt”. If your first pet’s name was “Fido” and this is the answer to your security question , then the hacker can simply bypass the password and answer your super easy security question instead.
Not every service will reset your account and give someone else access just because they know the answer to your security question, but many will. More secure services use security questions as part of an authentication process that will require other personal information and will email you a new password or password reset link, so this would require the hacker to also have access to your email.
How to Choose and Answer Security Questions
Keep all this in mind when choosing security questions and answers. Choose something that would be difficult for other people to find out or guess, not something simple like where you went to school.
Bear in mind that you don’t have to answer questions accurately, either. For example, if the question is “Where did you have your first kiss?” and you’ve lived in London your entire life, you probably don’t want to enter London — that’s a really obvious answer. Instead make somehting up, such as “In a Crater on the Moon while eating cheese” or another silly response that nobody will be able to guess guessing.
Of course, even this answer is more obvious than a seemingly random string. Maybe your answer to “Where did you have your first kiss?” is 9je7%5yry835#9reou&hf94@7gt5. Even if you’re forced to use a certain question, you’re free to enter any answer you like.
You now basically have a second password for your account — write it down somewhere secure or preferably use a password manager like LastPass and store it in the notes, so you can access it in case you ever need it.
The second alternative is to opt out of security questions altogether. For example, if you’re given the chance to write your own security question, you can enter a question like “What is the secret answer?” or reference an in-joke that only you would know. You can then provide an answer that’s as secure as the question and your password — maybe your answer/question pair is something like “What is the answer?” “45D%po#Yih8d0Y$fgp(i34t”.
Finally, the sale rules apply with passwords, never re-use the same password for security question/answer, use a unique security question/answer for every single account/website. If you use the same details on multiple sites and one of those sites gets hacked, then the criminals can now gain access to every other site where you used the same details.