Pinterest Stumbleupon Whatsapp
Ads by Google

create a security questionIn recent weeks I have written a lot about how to make online accounts recoverable. A typical security option is setting up a security question. While this potentially provides a quick and easy way to recover your account, it also presents a security liability in case the answer is easy to guess or research.

Some websites have realized that standard security questions, such as ‘What is your mother’s maiden name?’ or ‘What is your pet’s name?’, are far too easy to figure out, even by strangers. If you have heard of the guy who hacked into dozens of celebrity email accounts, you will understand. Essentially, this guy could gain access to the star’s email accounts by guessing email addresses, passwords, and finding out answers to security questions.

The same is happening to regular people, as a comment to one of my articles highlighted. A jealous spouse or an angry ex-partner can cause a lot of trouble if they gain access to your online accounts. It’s better to prepare for the worst and not give an ill-natured individual the chance to harm you. Fortunately, most websites now allow users to set custom security questions.

What Makes A Good Security Question?

First and foremost, you will want to pick a security question that is very hard to guess or find out, both for strangers and for people who know you well. On the other hand, the answer should be easy to remember for yourself. Keeping in mind that you may have to answer the question in a few years from now, the answer shouldn’t change over time or at least you should be able to answer it correctly in the future.

Let’s summarize these 3 basic principles:

  1. Hard to guess or find out;
  2. Easy to remember;
  3. Doesn’t change over time;

Similar principles and more details on each, as well as examples of good and bad security questions can be found here:

Ads by Google

create a security question

Additional Criteria For A Secure Security Question

Based on these basic principles, you can create fairly good security questions. When you add additional criteria, however, your question will become even more robust. For example, an ideal security question has many potential answers, but in alignment with principle 1, only you know the true answer. Also, while the answer should be hard to guess, the answer should still be short and simple, otherwise it’s probably not easy to remember.

Finally, in order not to undermine principle 1, you should never accidentally answer this question anywhere. This could be a conscious effort or you simply choose a question that no one would ever think of asking for fun.

To summarize, these are additional criteria for secure security questions:

  • The question has many potential answers, but only one clear to you (principle 1);
  • the answer is short and simple (principle 2);
  • the question is unlikely to be asked randomly, e.g. in a game (principle 1).

create security question

Examples Of Good Security Questions

Good examples are hard to give because ideally, they will be very personal and not generally applicable to a lot of people. Nevertheless, below are three examples and why they make for good questions.

  • What is the name of the teacher who gave you your first A?
    If you ever got a particularly good or bad grade, you likely remember the subject and teacher. Unless you boasted about it, this detail will be very hard to find out for someone else. Alternatively, if you never received that particular grade, the answer could be nonsensical, such as ‘never happened’.
  • What is the name of the city where you got lost?
    Provided this is a vivid memory, this makes for a great question, provided it’s not a story you have shared far and wide. Generally, events you are ashamed of and never told anyone about make for a great security questions.
  • What is the name of the person whose middle name is Maria?
    Since most people are not very fond of their middle names and don’t typically use them online, this answer is hard to find out or guess.

Creative Answers To Security Questions

Questions with true answers can always be answered somehow. To really increase security, especially on sites that don’t offer a custom security option, you can do what blogger Danah Boyd of Apophenia recommends and create your personal algorithm for security questions. In other words, you create a master key for security questions that functions as an answer. That way you only have to remember the master key to answer any security question you will ever set up.

create a security question

If this story made you wonder what else you can do to secure your online accounts, you may also find these articles helpful:

Do you think your security question is unhackable? Do you dare to share it with us?

Image credits: Dangerous Question via Shutterstock, Good Security Question via Shutterstock, Question via Shutterstock

  1. kiwiplayer
    August 25, 2012 at 1:26 am

    A sensible concept, here are mine - please, feel free to try and hack my bank a/c with them!

    (1) The title of the first LP you ever bought was ...
    (2) The street you lived on in 1973 was ...
    (3) Your UK landlord's surname was ...

    Yes, it's pretty easy really, to come up with secret questions that are unbreakable.

  2. Henry
    July 31, 2012 at 10:26 pm

    Dear Tina Sieber,
    I also have some ideas...
    We can also give totally non related answers to questions..
    For ex.
    If the question is ..What is your best friend's name?
    Den ans can be..
    I love my dog.
    Or if the question is what was the name of teacher who gave u an A in school?
    Den ans can be..
    I used to play football in my school.
    Although it may b a little difficult to remember, but it will b really hard to guess.

    • Tina
      August 1, 2012 at 10:21 am

      Henry,

      That's not a bad idea! I guess the key is that you won't forget what your nonsensical answer to the question was.

  3. Jeffrey Mercante
    July 31, 2012 at 10:08 pm

    very helpful

  4. David Mcleod
    July 31, 2012 at 9:07 pm

    Great idea, just need to load another GB of memory (left brain or right brain?) and I am all set. I just need to simplify, get down to under 100 passwords, I've started typing my name like this: first_last#$%^&@email.com, I am not just Sam anymore.

  5. Daniel Voyles
    July 31, 2012 at 4:46 pm

    Nice article!

  6. Ellen Odza
    July 31, 2012 at 4:31 pm

    This is really useful - thanks! I remember setting up a university email account for a fellow student way back in the pre-Internet days. I got it all set up, and then told him to enter in a password while I turned my back. He typed, I guessed his password - his last name. He erased and retyped - I guessed it again - his girlfriend's name. Third time I guessed it again - his dog's name! By this point he was utterly convinced I was psychic but it was really just a good early lesson in password security!

  7. Athena Racca
    July 31, 2012 at 4:52 am

    I really like the formula! Thanks! :)

  8. Charlie Player
    July 31, 2012 at 12:45 am

    well dont let any people around u when u are writing ur question's answer.... common sense

  9. Steven Kim
    July 30, 2012 at 2:07 pm

    Very creative i may say!!

  10. Claire Anne Aguirre
    July 30, 2012 at 10:56 am

    thank you for the tip.

    • jipson varghese
      August 6, 2012 at 6:43 am

      nice

  11. Tina
    July 29, 2012 at 7:49 pm

    Thanks for the heads-up, Alex. Spam removed.

  12. Tom Steenhuysen
    July 29, 2012 at 1:14 pm

    Even if you cannot choose or write your own question, nothing is preventing us from using our own answer. If you use a specific and completely private answer, it doesn't matter what the question is.

  13. John
    July 28, 2012 at 9:39 pm

    It was very food advice. To make it more secure I think it is best to substitute a couple of vowells for another character, e.g. uppercase or a number

  14. susan
    July 28, 2012 at 7:37 pm

    What a great article! After becoming frustrated with keeping up with 50 different responses, I created an algorithm for both the log in I.D. and the answers to security questions. For my passwords, I have nonsensical sentence that I created & I don't even put spaces in between the words. Because each site has different requirements regarding the use of capital letters, numbers, etc, I made sure the sentence contained characters that would satisfy each condition. For example, it has one capital letter and two sets of numbers mixed in. Now I can easily log-in but still feel pretty secure against hacking. Although, I loved your suggestions and think I'm going to change my formula to further decrease the odds of someone cracking it. So thank you for all of your research! However it always amazes me that despite the quality of the piece, the broad appeal, or how applicable the information is, there are always comments that serve as nothing more than evidence against the authors that their motives were to write a condemning remark instead of actually reading for knowledge or fun!

  15. Praveen Kumar
    July 28, 2012 at 7:37 am

    What if I forgot the Question???/ :/

    • Tina
      July 28, 2012 at 8:05 am

      You can't really forget the question, it will be given to you. :)

  16. L?f?er DeeCyf?er
    July 28, 2012 at 4:02 am

    still susceptible to hacking because of the use of a combination of actual words.
    a better approach may be to come up with a sentence that is relevant to only you and using first letters of words, last letters of words, alternating those, or some other algorithm on that sentence as your password.

  17. Fai-Rose Hassan
    July 27, 2012 at 10:23 pm

    great!

  18. Muhammad Ahmad
    July 27, 2012 at 2:07 am

    Very informative article. Will follow the instructions.

  19. Theresa Banks
    July 26, 2012 at 8:43 pm

    Great ideas concerning something everyone faces.

  20. MK
    July 26, 2012 at 6:51 pm

    Security questions advice is good but even more I need assistance on formulating good passwords. I can't remember them all, and many websites have differing requirements as to number of characters, case sensitivity, use of symbols, etc. Help!

    • Tina
      July 27, 2012 at 5:15 pm

      MK,

      We have written several articles on how to create secure passwords. Check out the articles listed here: http://is.gd/kLWItY

  21. Paolo Maffezzoli
    July 26, 2012 at 6:36 pm

    Interesting tips. Another good idea is answer with an impossible or non-sense word. For example, question: what is your name? answer : Napoleon.

    • Tina
      July 27, 2012 at 12:08 am

      Good idea, Paolo. However, if the answer is too simple, e.g. Napoleon being just one word, it could get cracked.

  22. Dee Wheat
    July 26, 2012 at 6:36 pm

    I've been known to use my dog's full "you're in trouble now" name. She's the only one who knows it, and it's long enough and unusual enough that no one has so far cracked or guessed it.

  23. Lee Nathan
    July 26, 2012 at 5:51 pm

    I love the idea of better security questions.
    But I hate most of the better questions that are asked.
    One major problem that seems to be often overlooked is that questions should ask about universal experiences and conditions.
    For example:
    mother's maiden name - everybody has a mother
    However:
    pet's name - some people have never had a pet
    youngest sibling's middle name - some people are only children

    As for the three you mentioned:

    Q) What is the name of the teacher who gave you your first A?
    A) Honestly, I don't remember a single grade I ever received as I haven't been to school for 15 years. And I really didn't care about grades much then.

    Q) What is the name of the city where you got lost?
    A) I'm not bragging, but I have a great sense of direction and never get lost.

    Q) What is the name of the person whose middle name is Maria?
    A) This one I think is the most universal. But still tricky. I can count on my hand the number of people who's middle names I know.

    I often see sites with these "better" security questions and get incredibly frustrated because the questions rarely apply to me.

    • Tina
      July 27, 2012 at 12:07 am

      Lee,

      The questions above are just examples. The strongest question is one you create yourself, following the guidelines.

      • Lee Nathan
        July 27, 2012 at 4:33 am

        Ah OK. Sorry, I was in web dev mode when I read this. I thought you meant these were questions you would recommended incorporating into a site being built. It would be nice if more sites let you ask and answer your own questions.

  24. Cho
    July 26, 2012 at 5:22 pm

    Easier yet is to use a nonsense answer.
    For example; "Pets name?" = dead dog
    "Maiden name" = Glub-Glub"

  25. hfrankjr
    July 26, 2012 at 3:40 pm

    I guess I've only thought of passwords before, never passphrases or creating my own security questions. Here's one I've remembered for 61 years and nobody, nobody, knows what it is but me: while working on a riverboat on the Mississippi River, we were dry docked in New Orleans. On the ferry across the river to visit the city, I was standing at the rail next to a fellow my age and he told me his name. I never saw him again, but I remember it to this day. Is that the kind of thing we're looking for?

    • Virgule
      July 26, 2012 at 6:10 pm

      Exactly. An unhackable security question will be one with only one answer, an answer easy for you to remember, and one that only you can answer.

      Mine: "Who badly disappointed you in 1961?"

      Then you can use the answer for any question, e.g. where did you meet your spouse? Answer: Linda (not the actual person who disappointed me, obviously).

    • Tina
      July 27, 2012 at 12:06 am

      Absolutely! The more unique his name is, the more secure your question. If it's a very common name, then it might not be a good option after all.

    • Rob Hindle
      August 9, 2012 at 5:17 pm

      Was it rumpelstiltskin?

      • Frank Henderson
        August 9, 2012 at 5:46 pm

        MY GOD! You GOT it!

      • Frank Henderson
        August 9, 2012 at 5:47 pm

        I just can't believe it!

    • Rob Hindle
      August 9, 2012 at 7:30 pm

      I just had to do a password recovery at 123reg. I use lastpass for my logins so I knew I'd not screwed up. Either I'd been hacked or 123reg must be having a problem (which was the case).

      So I had to remember the answers to my secret questions. Memorable date had me stumped but luckily I could provide enough other data items to satisfy the advanced login verification questions. However it got me thinking - where to record those secret Q&As. The answer was easy. LastPass can store more than just the Logon credentials (Username & password), there are additional options for "secure note" and while in there why not use some of the other options like Passport number - you could even add a scanned image of the photo page of your passport.

      Having done all that - just remember that your LastPass could become the key to everything about you so use a strong password, keep it safe, beware of logging on in an insecure enviromnent (public WiFi, internet cafe). Consider adding LastPass to Google Authenticator.

      • Tina
        August 10, 2012 at 8:03 am

        As always, great advice, Rob! It makes total sense to store your security Qs and/or the answers in LastPass.

        What I hadn't thought of is using LastPass for storing passport information. That could be very useful, but as you say, it could be disastrous should LastPass get hacked. To be honest, I'm not sure it's a good idea.

        • Rob Hindle
          August 10, 2012 at 4:37 pm

          Hmm, yes you're right but then surely people who care enough about security to use something like LastPass will be smart enough to use that securely? Maybe my expectations are too high!
          I've spoken to two businesses this week who have multiple accounts with all kinds of internet and email services. Not only do both use the same password for everything (because it's easier...) but the both told me their (not very difficult) password without me asking for it.

  26. Brian
    July 26, 2012 at 3:12 pm

    Dear Tina Sieber:

    I do not know about your experiences but Very Few sites that I have ever come across allow the user to write their own security question. And having been out of school for about 50 years how in he77 is anyone to remember a teachers name let alone one you got an A from.

    • Tina
      July 27, 2012 at 12:05 am

      Brian,

      There are a few and they are getting more. I decided to write this article when I saw that some sites do allow custom security questions.

      Also, the questions above are suggestions. You should of course pick a custom question you can remember the answer to, even 50 years down the line.

  27. Henning Pulmer
    July 26, 2012 at 1:38 pm

    Very good advice! Thanks a lot!

  28. Suman Acharya
    July 26, 2012 at 11:58 am

    tips are great!

  29. Scott
    July 26, 2012 at 11:26 am

    From a security standpoint, is there any advantage to using special characters in the answer (for those services that allow them, of course — Hotmail is one of the few that doesn't) ?

    In my case I start where Danah Boyd above does: use one of the stock questions, but I provide a (hopefully) unguessable answer to it. E.g. "What's your favorite food ?" Answer: H0g@n'$ H3r()E5. (That's a modified "Hogan's Heroes.")

    I suppose one could have it both ways and simply add some special characters to Boyd's middle term to beef it up a bit: $p0r+5T3@m, c@r, etc.

    • Tina
      July 27, 2012 at 12:04 am

      Scott,

      Special characters will always make your passwords and even answers to security questions more secure. That's if they are allowed. Alternatively, you can replace letters with numbers for example.

    • doc
      August 2, 2012 at 9:44 pm

      Yes, it's called "salting" your password, and it requires that a potential hacker use a much larger char-set for their hacking program (e.g. John the Ripper, Cain and Abel, etc.).

    • doc
      August 2, 2012 at 9:55 pm

      I've found that using the "Alt" key in conjunction with the number pad will give you characters that do not even appear on your keyboard (e.g. Smiley faces, card suits from playing cards, etc.). Even better I've found that these are not standardized across the industry, so keyboards from different manufacturers will have different characters, making it infinitely harder to crack a password. The char-set or rainbow table required to crack your password will be absolutely massive and even programs that use "Time - Memory Trade-off" will take much longer to do their work. Someone using a brute force program will most likely give up after so much time has passed. In order to make this work you would press and hold the Alt Key, then press and release a number, then release the Alt Key. Then repeat the process for each following character. This may not work for every site you register with because some don't allow special characters or restrict their use to just a few characters (not a very security conscious practice. Just plain lazy or cheap on the part of the web-site in my opinion). Anyway, I hope this helps.

      • doc
        August 2, 2012 at 10:10 pm

        One possible down-side to this process is that you might not be able to log-in from a remote computer because of the different keyboard. But, it's great for your Windows password.

        • Tina
          August 3, 2012 at 11:03 am

          That's what I thought when I read your comment. Might not be very practical.

        • Rob Hindle
          August 9, 2012 at 5:16 pm

          Agreed, when I go on holiday I often find the @ key isn't where it should be and the £ is missing

  30. Elaheh Sadegh
    July 26, 2012 at 9:38 am

    really really helpful.These days with increasing social networks , having a good security is a must.I'd never thought about the security questions as you did , and now I should reconsider about my questions and answers.making our own algorithm when there is no costume question is a great idea.

  31. Shakirah Faleh Lai
    July 26, 2012 at 8:55 am

    Your 3 basic principles are very practical. I think if we can use our own mother tounge instead of English for security question it might be harder to guess. Using a shameful experience to build a security question is a good idea.

  32. Vampie C.
    July 26, 2012 at 7:07 am

    I love the idea of using a dummy answer with the changing variable.
    Great concept, now to think of a decent combo :-)

  33. dclunie
    July 26, 2012 at 5:30 am

    Using a city, state or country as your "secret phrase answer" is terrible actually. Why because there is a finite number of them and because of today's digital world and the sending of packages there are databases with those city/states/countries/etc, that can be used to quickly gain access, especially if the site doesn't have safeguards for number of failures, etc.

    Otherwise good article.

    • Tina
      July 27, 2012 at 12:09 am

      Good point, had not thought of that!

  34. ferdinan Sitohang
    July 26, 2012 at 2:32 am

    It is totally good concept. Never think like this before. Will use as a guidance. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *