We all know we should create secure passwords. But, for all the time we spend worrying about our passwords, there’s a backdoor we never think about. Security questions are often easy to guess and can often bypass passwords.
Thankfully, many services are realizing security questions are very insecure and axing them. Google and Microsoft no longer offer security questions for their accounts — instead, you can recover an account using an associated phone number.
The Palin “Hack”
This isn’t just a theoretical problem. Sarah Palin’s Yahoo! email account was famously “hacked” in the run-up to the 2008 election. The “hacker” just used the password reset prompt and answered her security question. The question was where she met her spouse, and the answer — Wasilla High — was accessible with a quick Google search.
The Problem With Security Questions
This isn’t just a problem for Sarah Palin. When we set up accounts — from bank accounts to email accounts — we’re often asked to set up a security question. Most of the time, we’ll be provided with a list of suggested questions like “Where did you go to high school?” and “What is your mother’s maiden name?” Some websites allow you to create your own question, but many force you to choose from their list of suggested questions. Some websites force you to set up multiple security questions and answers, which means you can’t just choose a single answer that’s easy to remember — you have to choose several different questions and remember all the answers.
The real problem with security questions is that the answers are so obvious. The answers to many security questions, from “What is your birthday?” to “Where did you go to high school?” are public knowledge, if anyone cares to look. They may even be able to search for them on Google. Even if the answers aren’t public knowledge already, most normal people will share details like where they met their spouse and where they went to school in normal conversation.
Security Question Basics
If you’ve never reset an account’s password, you may never have to deal with your own security questions and may forget about them. You’re often able to click a link that says you forgot your password and, if you answer the security question correctly, you’re given access to that account. In this way, security questions allow you to bypass your password. Your account is no longer as secure as your password is, it’s only as secure as your most obvious security question.
Security question answers are also just easier to guess. For example, if the question is “What was the name of your first pet?”, it’s very easy to guess some common pet names. It doesn’t matter if your password is something as difficult-to-guess as “3&40$d#%$t#kteyt”. If your first pet’s name was “Fido” and you answers the security question accurately, the answer will be easy to guess.
Not every service will reset your account and give someone else access just because they know the answer to your security question, but some will. Other services use security questions as part of an authentication process that will require other personal information.
How to Choose and Answer Security Questions
Keep all this in mind when choosing security questions and answers. Choose something that would be difficult for other people to find out or guess, not something like where you went to school.
The second alternative is to opt out of security questions. For example, if you’re given the chance to write your own security question, you can enter a question like “What is the answer?” or reference an in-joke that only you would know. You can then provide an answer that’s as secure as the question — maybe your answer/question pair is something like “What is the answer?” “45D%po#Yih8d0Y$fgp(i34t”. You now just have a second password for your account — write it down somewhere secure or store it in a password manager like LastPass or KeePass so you can access it in case you ever need it. With an answer like this one, you basically just have a second password.
Bear in mind that you don’t have to answer questions accurately, either. For example, if the question is “Where did you have your first kiss?” and you’ve lived in New York your entire life, you probably don’t want to enter New York — that’s a really obvious answer. Maybe your answer is “In a Crater on the Moon” or another silly response that you’ll remember but other people will have more trouble guessing. Of course, even this answer is more obvious than a seemingly random string. Maybe your answer to “Where did you have your first kiss?” is 9je7%5yry835#9reou&hf94@7gt5. Even if you’re forced to use a certain question, you’re free to enter any answer you like as long as you can remember it. Of course, you’ll want to keep this answer safe in case you ever need to provide it in the future.
Security questions are insecure. But, even if you’re forced to use them or forced to use an insecure question, you’re never forced to provide an accurate answer. You can enter any answer you like as long as you can remember it for later. Whatever you do, be sure you aren’t opening a backdoor an attacker could use to bypass your password.