In recent weeks I have written a lot about how to make online accounts recoverable. A typical security option is setting up a security question. While this potentially provides a quick and easy way to recover your account, it also presents a security liability in case the answer is easy to guess or research.
Some websites have realized that standard security questions, such as ‘What is your mother’s maiden name?’ or ‘What is your pet’s name?’, are far too easy to figure out, even by strangers. If you have heard of the guy who hacked into dozens of celebrity email accounts, you will understand. Essentially, this guy could gain access to the star’s email accounts by guessing email addresses, passwords, and finding out answers to security questions.
The same is happening to regular people, as a comment to one of my articles highlighted. A jealous spouse or an angry ex-partner can cause a lot of trouble if they gain access to your online accounts. It’s better to prepare for the worst and not give an ill-natured individual the chance to harm you. Fortunately, most websites now allow users to set custom security questions.
What Makes A Good Security Question?
First and foremost, you will want to pick a security question that is very hard to guess or find out, both for strangers and for people who know you well. On the other hand, the answer should be easy to remember for yourself. Keeping in mind that you may have to answer the question in a few years from now, the answer shouldn’t change over time or at least you should be able to answer it correctly in the future.
Let’s summarize these 3 basic principles:
Hard to guess or find out;
Easy to remember;
Doesn’t change over time;
Similar principles and more details on each, as well as examples of good and bad security questions can be found here:
- Good Security Questions
- How to pick a REALLY good security question
- Best Practices for Password Reminders and Security Questions
Additional Criteria For A Secure Security Question
Based on these basic principles, you can create fairly good security questions. When you add additional criteria, however, your question will become even more robust. For example, an ideal security question has many potential answers, but in alignment with principle 1, only you know the true answer. Also, while the answer should be hard to guess, the answer should still be short and simple, otherwise it’s probably not easy to remember.
Finally, in order not to undermine principle 1, you should never accidentally answer this question anywhere. This could be a conscious effort or you simply choose a question that no one would ever think of asking for fun.
To summarize, these are additional criteria for secure security questions:
- The question has many potential answers, but only one clear to you (principle 1);
- the answer is short and simple (principle 2);
- the question is unlikely to be asked randomly, e.g. in a game (principle 1).
Examples Of Good Security Questions
Good examples are hard to give because ideally, they will be very personal and not generally applicable to a lot of people. Nevertheless, below are three examples and why they make for good questions.
- What is the name of the teacher who gave you your first A?
If you ever got a particularly good or bad grade, you likely remember the subject and teacher. Unless you boasted about it, this detail will be very hard to find out for someone else. Alternatively, if you never received that particular grade, the answer could be nonsensical, such as ‘never happened’.
- What is the name of the city where you got lost?
Provided this is a vivid memory, this makes for a great question, provided it’s not a story you have shared far and wide. Generally, events you are ashamed of and never told anyone about make for a great security questions.
- What is the name of the person whose middle name is Maria?
Since most people are not very fond of their middle names and don’t typically use them online, this answer is hard to find out or guess.
Creative Answers To Security Questions
Questions with true answers can always be answered somehow. To really increase security, especially on sites that don’t offer a custom security option, you can do what blogger Danah Boyd of Apophenia recommends and create your personal algorithm for security questions. In other words, you create a master key for security questions that functions as an answer. That way you only have to remember the master key to answer any security question you will ever set up.
If this story made you wonder what else you can do to secure your online accounts, you may also find these articles helpful:
- 5 Steps You Should Take NOW To Make Your Email & Social Media Accounts Recoverable
- 5 Things You Can Do NOW To Secure Your Facebook Account & Make It Recoverable
- Get Secure: 5 Firefox Addons For Serious Password Management
Do you think your security question is unhackable? Do you dare to share it with us?