Why You’re Answering Password Security Questions Wrong

Gavin Phillips 27-10-2016

When we sign up to a new online service, we are invariably asked to create a password. This immediately secures the new account. If you’re sensible, you choose a long, completely random string, or let a password management app do the work The Complete Guide to Simplifying and Securing Your Life with LastPass and Xmarks While the cloud means you can easily access your important information wherever you are, it also means that you have a lot of passwords to keep track of. That's why LastPass was created. Read More for you. Next in the sequence comes security questions.


These questions usually ask for your mother’s maiden name, the name of your elementary school, the name of your first pet, and so on. Designed to keep our accounts safe from would-be hackers, the security questions should act as an extra line of defence.

How do you answer those questions? Do you tell the truth, the whole truth, and nothing but the truth? Unfortunately, your truthfulness could be creating an unexpected chink in your online armor. Let’s take a look at exactly how you should be answering those questions.

A Protective Barrier

Password hints are undoubtedly helpful. A helpful hint will be displayed if you forget your Windows password. And this is after only a single failed attempt. In the case of the Windows password, your hint should refresh your memory. It reminds you using a hint you have selected, so you can be as cryptic or open as you feel.

Security questions are different. We regularly face the familiar question combinations I mentioned above, and willingly provide accurate answers. Security questions are presented as an additional line of defense. However, you should consider the relative ease of obtaining some of the answers in today’s ultra-connected society.

Security researchers regularly deride security questions as lackluster How To Create A Security Question That No One Else Can Guess In recent weeks I have written a lot about how to make online accounts recoverable. A typical security option is setting up a security question. While this potentially provides a quick and easy way to... Read More . Can we have faith in a security measure whose answers can be so readily discovered?


I’m Doing It Wrong?

Attackers prey on the easy questions How to Spot & Avoid 10 of the Most Insidious Hacking Techniques Hackers are getting sneakier and many of their techniques and attacks often go unnoticed by even experienced users. Here are 10 of the most insidious hacking techniques to avoid. Read More  — colors, maiden names, first pets — because they’re easily obtainable through social media accounts How To Protect Yourself From These 8 Social Engineering Attacks What social engineering techniques would a hacker use and how would you protect yourself from them? Let's take a look at some of the most common methods of attack. Read More . To make matters worse, if your account uses extremely specific questions and answers, an attacker can eliminate other potential passwords.

For instance, if the security question was “Where did you purchase your first car?” the attacker can immediately disregard other, easier answers.

I’m sure you’ve already twigged the obvious solution to this security problem. If the attacker is looking for an answer that directly relates to you, why not use something completely different?

  • What is your mother’s maiden name? fa1c0npunc4
  • Where did you meet your spouse? b1cycl3tyr3
  • What was the name of your first pet? n0str0d4mu5

Okay, they’re terrible examples, but you catch my drift. If the answer is a) obscure and b) uses random characters, you’ll immediately set the security bar of your accounts that bit higher Have You Taken These 5 First Steps to Secure Your Accounts Online? It's surprising how many people ignore these basics of securing yourself online. These five websites and tools make online security an easier chore. Read More .


And That Will Make Me Safe?

Safer, friend, but not entirely safe.

You see, in 2015, Google published an interesting document exploring the lessons they have learned concerning security questions. Using their almost unrivalled data-set to analyze the secret questions given by their monumental user-base, they sought to understand just how effective this additional security layer is.

Google Secret Questions Infographic Snippet
Image Credit: Google Blog

Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate.

Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.

Google Security Answers Wrong Answers Graph
Image Credit: Research at Google


Why do we attempt to lie, but then do it so badly? As your can see in the above chart, the majority of respondents provide false answers with the belief it will increase their security. We can then assume that the general public (albeit a tiny snapshot of an enormous database) do understand that the security questions can and will be used against them.

The Google research team ultimately conclude that security questions are either somewhat secure or easy to remember, but the golden combination is rare to find. Hence “while Google prefers SMS and email recovery, no mechanism is perfect.”

A Prime Example

Unfortunately, Google declined to offer the true size of the database used for the study. However, they confirmed that “the data considered contains hundreds of millions of data points and each question analyzed had over 1 million answers.” Substantial figures, considering their estimated user-base.

In 2016, United Airlines rolled out their new, updated security scheme for its customer accounts. The old system that relied on 4-digit PINs was rightly deemed unsuitable for accounts potentially containing hundreds of thousands of dollars of frequent flier miles. The updated system requires users to enter a unique password, as well as answer five personal security questions.


Sounds good, right? Except United Airlines ask their customers to pick a strong, unique password, and answer their questions using a preordained set of answers. That’s right: preordained answers. For example, if you choose the question “In what month is your best friends birthday,” your would-be attackers have — you guessed it — a mere twelve answers to battle through. Tough times.

United reason that “the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.”

Security researcher Brian Krebs spoke directly to United Airlines director of IT security intelligence Benjamin Vaughn. Vaughn said the company “was randomizing the questions to confound bot programs that seek to automate the submission of answers, and that security questions answered wrongly would be ‘locked’ and not asked again.”

As well as this, Vaughn confirmed to Krebs that multiple unsuccessful attempts would result in a locked account. Consequently, the user must directly communicate with United Airlines to unlock their account.

Conventional Wisdom

United Airlines identified a security vulnerability, but their answer didn’t entirely solve the issue. As we have seen, the only truly safe way to answer a security question is, much like a password, by providing something truly unique and random. This in the hope that potential hackers will be frustrated by the complexity, and move onto the next account.

The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.

If people can’t use security, they are not going to, and then we and our nation won’t be secure.

— Cognitive psychologist and Security Fatigue co-author, Brian Stanton

Alas, security fatigue is a very real problem. Users are increasingly tired. Security breaches and forced password resets are now so common, many users simply ignore alerts. This fatigue leads to risky user behaviour both at home and in the workplace. We suggest:

We’ve written extensively about overcoming security fatigue 3 Ways to Beat Security Fatigue and Stay Safe Online Security fatigue -- a weariness to deal with online security -- is real, and it's making many people less secure. Here are three things you can do to beat security fatigue and keep yourself safe. Read More . Give it a read, and take back control of your security questions!

How do you answer your security questions? Have you hit the sweet spot? Or do you use a password management app? Let us know your security question tips below!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. ReadandShare
    October 27, 2016 at 5:21 pm

    The right way to set up security questions / answers: FIRST think up a nonsensical word - say, bubalu. Now, for all your security answers...

    1. What is your favorite color? bubalucolor.
    2. Who was your favorite teacher? bubaluteacher.
    3. Which city did you live in when you were ten? bubalucity.

    Mention bubalu to no one.

    • sleightahand
      October 28, 2016 at 4:41 pm

      YES, This works for passwords too. babaluyahoo. babaluamazon etc

    • Gavin Phillips
      November 2, 2016 at 3:09 pm

      You should send me your email address so I can do a security audit for you xD now that I have your secret word. But don't worry, I wont tell anyone...

  2. jacky risham
    October 27, 2016 at 4:14 pm

    thanks for sharing a great post
    remove background from image

    • Gavin Phillips
      November 2, 2016 at 3:10 pm

      Thanks, Jacky.

      What did you mean by "remove background from image" though?