With so many online accounts to manage these days, you can’t blame people for forgetting their passwords now and then.
A 2021 study of American users showed that at least 63% are locked out of 10 online accounts per month. And sadly, these users will waste unproductive minutes resetting their passwords and regaining access.
A common method to recover a forgotten password is to answer security questions.
It’s a simple yet effective way for websites and apps to verify your identity and make sure you are the one requesting the changes. However, not all security questions created are equal; some can be easily guessed or hacked by malicious actors.
In this article, we’ll help you stay protected online by discussing what differentiates a good security question from a bad one.
We’ll share a few examples so you’ll know exactly what to look for when setting up your own accounts.
What Is a Security Question?
A security question is a type of authentication prompt used by websites and applications to confirm the identity of users.
It usually involves a user answering an already-defined question, such as “What was your mother’s maiden name?” or “Where were you born?”
The idea is that the answer should be something only you know.
Security questions are widely used because they can be easily answered, even if someone has forgotten their login credentials. However, this convenience comes with certain risks.
If someone else knows the answers to your security questions, they can reset your passwords and gain access to your accounts.
Types of Security Questions
Security questions fall into two main types.
User-defined Security Questions
These are questions a user creates themselves or chooses from a list provided by the website or application. It could be anything from a pet’s name to their first job.
With this option, users have more control over the security of their accounts, as they can create their own questions that are difficult to guess.
However, many users make the mistake of choosing poor security questions or providing weak security answers.
System-defined Security Questions
These are questions created by the website or application based on information from the user’s profile.
For example, a system-defined security question could be “What is your date of birth?” or “What country are you from?”
In this method, service providers bank on the assumption that a user’s personal details are challenging to guess or hack.
Unfortunately, this sometimes backfires. Depending on how much information you publicly share, it may be easy for hackers to find answers to these questions.
How Cybercriminals Can Exploit Security Questions
Cybercriminals are always looking for new ways to steal people’s identities and access their accounts.
Security questions, unfortunately, can be easy targets for criminals because the answers may be easily guessed or found through social engineering techniques.
Social engineering refers to the extensive research that some hackers perform to obtain personal information about their targets, such as full name, address, and date of birth.
For example, if someone knows your name and city of birth, they could use that information to answer a security question like “What was your first school?”
Criminals can also exploit security questions by using social media posts and public records to determine the answers.
For instance, if you have posted about a recent vacation on Instagram or Facebook, a criminal might be able to guess the answers to questions about your favorite travel spots.
This is why thinking up good security questions involves more than finding questions you can answer quickly. It is about ensuring the answers are not easily searchable or deducted from the information you share publicly.
Characteristics of a Good Security Question
For security questions to be effective, they need to meet certain criteria. Here are some of the characteristics that make good security questions:
A strong security question should be something that an attacker can’t guess. If an attacker can guess your answer, it’s not secure enough and must be changed.
Avoid using questions about basic personal information such as birthdays, addresses, or phone numbers; hackers can often find this information online.
Security questions should be easy to remember; otherwise, it defeats the purpose.
You don’t want to struggle every time you need to answer them! But more than anything, the answers should be something only you would know.
Hackers would have a more challenging time if the question has many potential answers.
Questions that are open-ended or contain multiple possibilities are more secure than those with just one or two solutions.
The answers to your security questions should stay the same over time. Otherwise, the questions become useless, and you’ll have a difficult time trying to recall the answers.
Although it’s important to think of a question with many possible answers to throw hackers off, it should also be something you can answer the same way each time.
While having a whole phrase as an answer can be more secure, it can also be a hassle for the user.
Simplicity is key when it comes to security questions so that users don’t get frustrated trying to remember the answer.
Examples of Good Security Questions
Now that you know the characteristics of a good security question, let’s look at some examples.
Notice that these questions invite static answers while still being unpredictable to threat actors.
- What was the title of the first book you read?
- In what city did your parents meet?
- Who was your first crush?
- What was the first album you ever bought?
- What is the middle name of your least favorite teacher?
- What was the first concert you attended?
- What was the name of your first stuffed animal?
- What street did you live on in third grade?
- What was the name of your childhood best friend’s pet?
- Who did you have a fight with in fourth grade?
Security Question Mistakes to Avoid
When setting up security questions, be mindful of what you are using.
Here are some common mistakes that people make when creating their security questions, which can compromise their accounts:
Using easily guessable answers
As mentioned before, the answers to your security questions should not be information that can easily be found online or guessed by someone else.
This includes personal details such as birthdays, addresses, and phone numbers.
Using sensitive information as answers
The answers to your security questions should not be information that hackers can exploit in other ways.
Refrain from using your bank account numbers, Social Security numbers, and credit card details as answers.
Reusing the same security question
You should never use the same security question for multiple accounts; otherwise, a hacker could gain access to all of your accounts with just one answer. Take advantage of multiple security questions with different answers for each account.
Not renewing security questions
You should review your security questions and answers periodically to ensure they are still secure. If you think an answer has been compromised, it’s best to change it immediately.
Examples of Bad Security Questions
Below are some examples to give you an idea of what a poor security question looks like. We’ll also explain why you should avoid those questions.
When is your birthday?
While this is personal information, hackers can easily deduce this by exploring your social media accounts.
What is your favorite color?
This question has many possible answers, but it is still easy to guess, given the limited number of choices.
What is your mother’s maiden name?
This question relies on information that can easily be found online or guessed by someone who knows you. It should never be used as a security question.
What is your favorite movie?
This is a question with an answer that can change over time. It may leave you with an outdated response that you might not remember when resetting your password.
What is your bank account number?
This question invites malicious hackers to exploit your financial information. It is best to avoid using sensitive data like this as a security question answer.
What is your favorite life quote?
Not only is this question inconsistent, but it also requires you to recall a phrase or a complete sentence. Remember to keep your answers simple yet still unique.
What sports team do you love to see lose?
This is another example of a question you may not recall the answer to. Although it is secure enough that a hacker may not be able to guess in a few tries, you should still consider your ability to remember it.
Best Practices for Security Questions
You can secure your online accounts further by following certain best practices regarding security questions.
Consider these tips:
Use special characters
If your service provider allows it, replace letters with special characters in your security questions.
For example, replace “A” and “a” with “@” or use asterisks (*) instead of underscores (_). This will make it difficult for hackers to guess the answer to your question.
Give fake answers
Why not invent answers to your security questions? You can make them as wild and crazy as you want, just so long as you remember the answer.
Let’s say the security question is, “What is your mother’s maiden name?” Instead of giving the correct answer, you could provide a fake one, such as “unicorn” or “rainbow.”
It could even be an inside joke between you and the subject of the question. This is a great way to ensure that no one else can guess the correct answer.
Use multiple security questions
As previously stated, reusing the same question across multiple accounts is a no-no. If a hacker guesses the answer to your security question, they can attempt to use the same response across all your accounts.
Avoid this risk by setting up multiple security questions that require different answers.
Change your security questions periodically
Cybercriminals find new ways to hack accounts every day. Stay one step ahead by renewing your security questions every few months.
Alternatives to Security Questions
Security questions are just one of the many ways to protect an online account. Recent technologies have made it possible to use more robust alternatives for authentication.
For maximum security, consider pairing these methods with your security questions:
Many users resort to security questions because they have forgotten their passwords. To avoid this situation, you can store your credentials securely using a password manager.
Review our list of best password managers to find one that fits your needs.
Multiple passwords may be hard to remember, but you create a bigger risk if you use the same password for each account.
To ensure that no two passwords are alike, use a password generator to create unique and randomized combinations of letters, numbers, and symbols. Then, you can store these passwords in your password manager for safekeeping.
Two-factor authentication (2FA) is an extra layer of security that requires you to enter two different types of information before accessing an account.
These could be your password plus a code sent to your phone or email address.
Biometrics uses your unique physical features (e.g., fingerprints, facial features, voice) to verify your identity.
Most modern devices have this feature built-in, and it can be used in addition to a password. This is a strong method of authentication since biometrics are impossible to replicate.
A Virtual Private Network (VPN) is a great way to encrypt your internet traffic and prevent unauthorized access.
A good VPN will also provide an extra layer of anonymity so that your identity remains anonymous even when connected to public Wi-Fi networks.
Security questions are a convenient way to access your account when you can’t remember your password, but they also present a security risk if they are not set up correctly. To protect yourself online, choose strong and unique questions that are hard to guess or hack.
Furthermore, security questions should not be used as the sole authentication method. Instead, consider using stronger alternatives such as a password manager and two-factor authentication whenever possible.
By following these best practices for security questions, you’ll have peace of mind knowing that your online accounts are secure and protected from malicious actors.