“What’s your mother’s maiden name?” How many times have you been asked to answer this question when you create an account? Do you give the right answer? Let me explain why you shouldn’t give the correct answer to this or any other security question.
How many people know your mother’s maiden name?
How many people know your favorite color?
How many other people have the same favorite color as you?
The problem with the answers people choose for security questions is that they’re too easy to guess.
An analysis by Google and Stanford in 2015 found that most users’ answers were insecure. They could be easily guessed or found through basic research. There’s no reason to think things have improved since 2015. Here are some of the problems summarized in the report:
Questions with common answers. Many personal knowledge questions have common answers shared by many in the user population which an adversary might successfully guess. Schechter et al. were able to guess approximately 10% of user’s answers by using a list of other answers provided by users in the same study.
Questions with few plausible answers. A number of potential questions, such as “who is your favorite superhero?” have very few possible answers. An empirical study … found that 40% had trivially small answer spaces. User-chosen questions appear even worse: … the majority of users choose questions with trivially few plausible answers.
Publicly available answers. Rabkin found that 16% of questions had answers routinely listed publicly in online socialnetworking profiles. Even if users keep data private on social networks, inference attacks enable approximating sensitive information from a user’s friends. Other questions can be found in publicly available records. For example, at least 30% of Texas residents’ mothers’ maiden names can be deduced from birth and marriage records.
Social guessing attacks. Users’ answers may be easily available to partners, friends, or even acquaintances. … acquaintances could guess 17% of answers correctly in five tries or fewer.
You might think, “Well, security questions only matter if I lose my password and need to get back into my account.” But that’s overlooking the fact that anyone can try using your security questions to reset your password and log into your account.
How to Increase Your Security
You don’t want to use answers that others could guess or figure out through research. The best way to do this is to provide false answers. It turns out that many people already do this. The Google and Stanford report mentioned above says,
we found that a significant cause of this insecurity is that users often don’t answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.
For example, when asked “What city were you born in?” people try to be clever and give an incorrect city. But, they tend to choose a city that many others also chose (whether they did so honestly or not), such as Paris.
If the question is “What city were you born in?” don’t use a less-popular city or fictional city (such as “Minas Tirith”) and think you’re being clever. Others are likely to use the same answer (though not as many as will use “Paris”). Instead, use a word or words that don’t answer the question, such as “magnet” or “Megatron” or, even better, “urBFbaFv3HMl”.
Be sure to choose answers that it’s extremely unlikely someone else would use. You can even let your password generator — I use LastPass (aff. link) — create an answer. However, be aware that some websites don’t allow special characters in security questions. Some don’t even allow spaces, so you can’t use more than one word (although you could always smash multiple words into one string of text). Also, consider that you may need to give your answers over the phone. For example, I have a financial account for which I used a long, randomly-generated answer that contains special characters. There have been several times that I’ve needed to spell it over the phone, which is a pain.
Some websites let you create your own security questions. If this is an option, do it! Be sure to make your questions nonsense, too, and irrelevant to your answers. For example:
You may ask, “How am I supposed to remember these nonsense answers?” You don’t need to. Save them in your password manager. I store my passwords in LastPass (aff. link), and I use the Notes field to store the security questions and answers.
Even if you come up with answers that you love, resist the urge to use them again. Don’t reuse answers from site to site, just as you shouldn’t reuse passwords from site to site. If someone discovers one of your answers, they’ll try it on other sites.
Some websites allow you to use multi-factor authentication (they may call it two-factor authentication). This is when you use an app (best option) or SMS/text messages (next best option) to verify your identity. If you have the choice, use this instead of security questions.
- Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google (google.com)
- New Research: Some Tough Questions for ‘Security Questions’ (googleblog.com)
- Time To Kill Security Questions—or Answer Them With Lies (wired.com)
- Crack the “Security Question” Code: 5 Tips for Creating the Most Secure Online Passwords (mensjournal.com)
- Use Fake Answers to Online Security Questions (lifehacker.com)
What You Should Do
- Create nonsense answers to security questions. A random string of letters and numbers (and special characters, if allowed) is better than a real word.
- If given the option, create your own security questions rather than choosing from provided questions. Make your questions nonsense, and irrelevant to your answers.
- Save questions and answers in your password manager.
- Don’t reuse answers on other accounts.
- If given the option, use multi-factor authentication instead of security questions.