In recent weeks I have written a lot about how to make online accounts recoverable. A typical security option is setting up a security question. While this potentially provides a quick and easy way to recover your account, it also presents a security liability in case the answer is easy to guess or research.
Some websites have realized that standard security questions, such as ‘What is your mother’s maiden name?’ or ‘What is your pet’s name?’, are far too easy to figure out, even by strangers. If you have heard of the guy who hacked into dozens of celebrity email accounts, you will understand. Essentially, this guy could gain access to the star’s email accounts by guessing email addresses, passwords, and finding out answers to security questions.
The same is happening to regular people, as a comment to one of my articles highlighted. A jealous spouse or an angry ex-partner can cause a lot of trouble if they gain access to your online accounts. It’s better to prepare for the worst and not give an ill-natured individual the chance to harm you. Fortunately, most websites now allow users to set custom security questions.
What Makes A Good Security Question?
First and foremost, you will want to pick a security question that is very hard to guess or find out, both for strangers and for people who know you well. On the other hand, the answer should be easy to remember for yourself. Keeping in mind that you may have to answer the question in a few years from now, the answer shouldn’t change over time or at least you should be able to answer it correctly in the future.
Let’s summarize these 3 basic principles:
-
Hard to guess or find out;
-
Easy to remember;
-
Doesn’t change over time;
Similar principles and more details on each, as well as examples of good and bad security questions can be found here:
- Good Security Questions
- How to pick a REALLY good security question
- Best Practices for Password Reminders and Security Questions
Additional Criteria For A Secure Security Question
Based on these basic principles, you can create fairly good security questions. When you add additional criteria, however, your question will become even more robust. For example, an ideal security question has many potential answers, but in alignment with principle 1, only you know the true answer. Also, while the answer should be hard to guess, the answer should still be short and simple, otherwise it’s probably not easy to remember.
Finally, in order not to undermine principle 1, you should never accidentally answer this question anywhere. This could be a conscious effort or you simply choose a question that no one would ever think of asking for fun.
To summarize, these are additional criteria for secure security questions:
- The question has many potential answers, but only one clear to you (principle 1);
- the answer is short and simple (principle 2);
- the question is unlikely to be asked randomly, e.g. in a game (principle 1).
Examples Of Good Security Questions
Good examples are hard to give because ideally, they will be very personal and not generally applicable to a lot of people. Nevertheless, below are three examples and why they make for good questions.
- What is the name of the teacher who gave you your first A?
If you ever got a particularly good or bad grade, you likely remember the subject and teacher. Unless you boasted about it, this detail will be very hard to find out for someone else. Alternatively, if you never received that particular grade, the answer could be nonsensical, such as ‘never happened’. - What is the name of the city where you got lost?
Provided this is a vivid memory, this makes for a great question, provided it’s not a story you have shared far and wide. Generally, events you are ashamed of and never told anyone about make for a great security questions. - What is the name of the person whose middle name is Maria?
Since most people are not very fond of their middle names and don’t typically use them online, this answer is hard to find out or guess.
Creative Answers To Security Questions
Questions with true answers can always be answered somehow. To really increase security, especially on sites that don’t offer a custom security option, you can do what blogger Danah Boyd of Apophenia recommends and create your personal algorithm for security questions. In other words, you create a master key for security questions that functions as an answer. That way you only have to remember the master key to answer any security question you will ever set up.
If this story made you wonder what else you can do to secure your online accounts, you may also find these articles helpful:
- 5 Steps You Should Take NOW To Make Your Email & Social Media Accounts Recoverable
- 5 Things You Can Do NOW To Secure Your Facebook Account & Make It Recoverable
- Get Secure: 5 Firefox Addons For Serious Password Management
Do you think your security question is unhackable? Do you dare to share it with us?
Image credits: Dangerous Question via Shutterstock, Good Security Question via Shutterstock, Question via Shutterstock
MakeUseOf Recommends
More articles about:
Hide 57 Comments
It is totally good concept. Never think like this before. Will use as a guidance. Thanks
Using a city, state or country as your “secret phrase answer” is terrible actually. Why because there is a finite number of them and because of today’s digital world and the sending of packages there are databases with those city/states/countries/etc, that can be used to quickly gain access, especially if the site doesn’t have safeguards for number of failures, etc.
Otherwise good article.
Good point, had not thought of that!
I love the idea of using a dummy answer with the changing variable.
Great concept, now to think of a decent combo :-)
Your 3 basic principles are very practical. I think if we can use our own mother tounge instead of English for security question it might be harder to guess. Using a shameful experience to build a security question is a good idea.
really really helpful.These days with increasing social networks , having a good security is a must.I’d never thought about the security questions as you did , and now I should reconsider about my questions and answers.making our own algorithm when there is no costume question is a great idea.
From a security standpoint, is there any advantage to using special characters in the answer (for those services that allow them, of course — Hotmail is one of the few that doesn’t) ?
In my case I start where Danah Boyd above does: use one of the stock questions, but I provide a (hopefully) unguessable answer to it. E.g. “What’s your favorite food ?” Answer: H0g@n’$ H3r()E5. (That’s a modified “Hogan’s Heroes.”)
I suppose one could have it both ways and simply add some special characters to Boyd’s middle term to beef it up a bit: $p0r+5T3@m, c@r, etc.
Scott,
Special characters will always make your passwords and even answers to security questions more secure. That’s if they are allowed. Alternatively, you can replace letters with numbers for example.
Yes, it’s called “salting” your password, and it requires that a potential hacker use a much larger char-set for their hacking program (e.g. John the Ripper, Cain and Abel, etc.).
I’ve found that using the “Alt” key in conjunction with the number pad will give you characters that do not even appear on your keyboard (e.g. Smiley faces, card suits from playing cards, etc.). Even better I’ve found that these are not standardized across the industry, so keyboards from different manufacturers will have different characters, making it infinitely harder to crack a password. The char-set or rainbow table required to crack your password will be absolutely massive and even programs that use “Time – Memory Trade-off” will take much longer to do their work. Someone using a brute force program will most likely give up after so much time has passed. In order to make this work you would press and hold the Alt Key, then press and release a number, then release the Alt Key. Then repeat the process for each following character. This may not work for every site you register with because some don’t allow special characters or restrict their use to just a few characters (not a very security conscious practice. Just plain lazy or cheap on the part of the web-site in my opinion). Anyway, I hope this helps.
One possible down-side to this process is that you might not be able to log-in from a remote computer because of the different keyboard. But, it’s great for your Windows password.
That’s what I thought when I read your comment. Might not be very practical.
Agreed, when I go on holiday I often find the @ key isn’t where it should be and the £ is missing
tips are great!
Very good advice! Thanks a lot!
Dear Tina Sieber:
I do not know about your experiences but Very Few sites that I have ever come across allow the user to write their own security question. And having been out of school for about 50 years how in he77 is anyone to remember a teachers name let alone one you got an A from.
Brian,
There are a few and they are getting more. I decided to write this article when I saw that some sites do allow custom security questions.
Also, the questions above are suggestions. You should of course pick a custom question you can remember the answer to, even 50 years down the line.
I guess I’ve only thought of passwords before, never passphrases or creating my own security questions. Here’s one I’ve remembered for 61 years and nobody, nobody, knows what it is but me: while working on a riverboat on the Mississippi River, we were dry docked in New Orleans. On the ferry across the river to visit the city, I was standing at the rail next to a fellow my age and he told me his name. I never saw him again, but I remember it to this day. Is that the kind of thing we’re looking for?
Exactly. An unhackable security question will be one with only one answer, an answer easy for you to remember, and one that only you can answer.
Mine: “Who badly disappointed you in 1961?”
Then you can use the answer for any question, e.g. where did you meet your spouse? Answer: Linda (not the actual person who disappointed me, obviously).
Absolutely! The more unique his name is, the more secure your question. If it’s a very common name, then it might not be a good option after all.
Was it rumpelstiltskin?
MY GOD! You GOT it!
I just can’t believe it!
I just had to do a password recovery at 123reg. I use lastpass for my logins so I knew I’d not screwed up. Either I’d been hacked or 123reg must be having a problem (which was the case).
So I had to remember the answers to my secret questions. Memorable date had me stumped but luckily I could provide enough other data items to satisfy the advanced login verification questions. However it got me thinking – where to record those secret Q&As. The answer was easy. LastPass can store more than just the Logon credentials (Username & password), there are additional options for “secure note” and while in there why not use some of the other options like Passport number – you could even add a scanned image of the photo page of your passport.
Having done all that – just remember that your LastPass could become the key to everything about you so use a strong password, keep it safe, beware of logging on in an insecure enviromnent (public WiFi, internet cafe). Consider adding LastPass to Google Authenticator.
As always, great advice, Rob! It makes total sense to store your security Qs and/or the answers in LastPass.
What I hadn’t thought of is using LastPass for storing passport information. That could be very useful, but as you say, it could be disastrous should LastPass get hacked. To be honest, I’m not sure it’s a good idea.
Hmm, yes you’re right but then surely people who care enough about security to use something like LastPass will be smart enough to use that securely? Maybe my expectations are too high!
I’ve spoken to two businesses this week who have multiple accounts with all kinds of internet and email services. Not only do both use the same password for everything (because it’s easier…) but the both told me their (not very difficult) password without me asking for it.
Easier yet is to use a nonsense answer.
For example; “Pets name?” = dead dog
“Maiden name” = Glub-Glub”
I love the idea of better security questions.
But I hate most of the better questions that are asked.
One major problem that seems to be often overlooked is that questions should ask about universal experiences and conditions.
For example:
mother’s maiden name – everybody has a mother
However:
pet’s name – some people have never had a pet
youngest sibling’s middle name – some people are only children
As for the three you mentioned:
Q) What is the name of the teacher who gave you your first A?
A) Honestly, I don’t remember a single grade I ever received as I haven’t been to school for 15 years. And I really didn’t care about grades much then.
Q) What is the name of the city where you got lost?
A) I’m not bragging, but I have a great sense of direction and never get lost.
Q) What is the name of the person whose middle name is Maria?
A) This one I think is the most universal. But still tricky. I can count on my hand the number of people who’s middle names I know.
I often see sites with these “better” security questions and get incredibly frustrated because the questions rarely apply to me.
Lee,
The questions above are just examples. The strongest question is one you create yourself, following the guidelines.
Ah OK. Sorry, I was in web dev mode when I read this. I thought you meant these were questions you would recommended incorporating into a site being built. It would be nice if more sites let you ask and answer your own questions.
I’ve been known to use my dog’s full “you’re in trouble now” name. She’s the only one who knows it, and it’s long enough and unusual enough that no one has so far cracked or guessed it.
Interesting tips. Another good idea is answer with an impossible or non-sense word. For example, question: what is your name? answer : Napoleon.
Good idea, Paolo. However, if the answer is too simple, e.g. Napoleon being just one word, it could get cracked.
Security questions advice is good but even more I need assistance on formulating good passwords. I can’t remember them all, and many websites have differing requirements as to number of characters, case sensitivity, use of symbols, etc. Help!
MK,
We have written several articles on how to create secure passwords. Check out the articles listed here: http://is.gd/kLWItY
Great ideas concerning something everyone faces.
Very informative article. Will follow the instructions.
great!
still susceptible to hacking because of the use of a combination of actual words.
a better approach may be to come up with a sentence that is relevant to only you and using first letters of words, last letters of words, alternating those, or some other algorithm on that sentence as your password.
What if I forgot the Question???/ :/
You can’t really forget the question, it will be given to you. :)
What a great article! After becoming frustrated with keeping up with 50 different responses, I created an algorithm for both the log in I.D. and the answers to security questions. For my passwords, I have nonsensical sentence that I created & I don’t even put spaces in between the words. Because each site has different requirements regarding the use of capital letters, numbers, etc, I made sure the sentence contained characters that would satisfy each condition. For example, it has one capital letter and two sets of numbers mixed in. Now I can easily log-in but still feel pretty secure against hacking. Although, I loved your suggestions and think I’m going to change my formula to further decrease the odds of someone cracking it. So thank you for all of your research! However it always amazes me that despite the quality of the piece, the broad appeal, or how applicable the information is, there are always comments that serve as nothing more than evidence against the authors that their motives were to write a condemning remark instead of actually reading for knowledge or fun!
It was very food advice. To make it more secure I think it is best to substitute a couple of vowells for another character, e.g. uppercase or a number
Even if you cannot choose or write your own question, nothing is preventing us from using our own answer. If you use a specific and completely private answer, it doesn’t matter what the question is.
Thanks for the heads-up, Alex. Spam removed.
thank you for the tip.
nice
Very creative i may say!!
well dont let any people around u when u are writing ur question’s answer…. common sense
I really like the formula! Thanks! :)
This is really useful – thanks! I remember setting up a university email account for a fellow student way back in the pre-Internet days. I got it all set up, and then told him to enter in a password while I turned my back. He typed, I guessed his password – his last name. He erased and retyped – I guessed it again – his girlfriend’s name. Third time I guessed it again – his dog’s name! By this point he was utterly convinced I was psychic but it was really just a good early lesson in password security!
Nice article!
Great idea, just need to load another GB of memory (left brain or right brain?) and I am all set. I just need to simplify, get down to under 100 passwords, I’ve started typing my name like this: first_last#$%^&@email.com, I am not just Sam anymore.
very helpful
Dear Tina Sieber,
I also have some ideas…
We can also give totally non related answers to questions..
For ex.
If the question is ..What is your best friend’s name?
Den ans can be..
I love my dog.
Or if the question is what was the name of teacher who gave u an A in school?
Den ans can be..
I used to play football in my school.
Although it may b a little difficult to remember, but it will b really hard to guess.
Henry,
That’s not a bad idea! I guess the key is that you won’t forget what your nonsensical answer to the question was.
A sensible concept, here are mine – please, feel free to try and hack my bank a/c with them!
(1) The title of the first LP you ever bought was …
(2) The street you lived on in 1973 was …
(3) Your UK landlord’s surname was …
Yes, it’s pretty easy really, to come up with secret questions that are unbreakable.