How to choose strong security questions
Security questions are a long-standing secondary technique to authenticate users. Such identity verification can require anything from the city or town you were born to your preferred musical genre. However, these secret questions are susceptible to many threats.
Experts highlight multiple requirements for security questions. They should be stable, memorable, unknown, and stored appropriately. After all, this authentication method mirrors many dangers applicable to passwords.
Data breaches could expose them, or users might deliberately reveal them through social media or seemingly casual conversations. So, follow the guidelines below to pick the best security questions and keep answers safe.
What are security questions?
Security questions represent an authentication method frequently used for processes like account recovery. Users can only reset their passwords by answering predetermined questions correctly.
Login attempts can also call for entering the question-password combination. However, this authentication strategy has severe flaws, and if used, it needs to follow modern rules.
In most cases, two-factor authentication is a superior option for adding another security layer to your account. In fact, many services no longer include security questions as a trusted authentication factor.
Most common security questions
You can notice many variations of security question options. However, you might have used or heard about the following ones:
- What is your mother’s maiden name?
- What is the name of your first pet?
- What model was your first car?
- What is your father’s middle name?
- What was your school’s mascot?
- What is your favorite sports team?
- What is the first book you have ever read?
- What is the name of your first school teacher?
- When was your oldest sibling born?
Here is how the security question selection can look. You should also be able to set custom questions.
Most of these security questions have definite answers that stay the same. However, it is not difficult to dig out truthful personal facts about someone. Interested parties can use various tactics for figuring out your first book or favorite sports team.
Requirements for security questions
The chosen security question should have a balance between strength and memorability. However, more factors should influence the preferred questions.
- Memorable. You need to remember the answer even years after setting it. However, you could treat it as a password and save it in password managers. Then, it will always be accessible.
- Confidential. Your security question needs to be a secret. Its answer should not be available anywhere on the internet. Furthermore, avoid mentioning it during conversations, offline and online.
- Secure. It should be impossible to guess the correct answer. For example, some questions can have widely popular answers, like favorite food or music genres. Also, some cultures have highly common names, which could help guess name-related questions.
- Many possible answers. The chosen security question should have many possible answers.
- Fixed answer. The answer should not change over time. However, even if it does, you should remember your answer or store it securely.
Concerns regarding security questions
Security questions nurture the simplicity idea, hoping account management is as user-friendly as possible. Thus, the question-password pairs usually aim to facilitate quick logins, and password or MFA token recoveries. However, simplicity can be an enemy of security, opening unnecessary venues for account takeover or hacking.
Usually, security questions are rarely memorable and secure. The common route is picking answers that users know by heart.
However, Google published an analysis on security questions and their reliability in 2015. From this, we can draw multiple conclusions regarding the usability and reliability of security questions:
- Memorable and simple answers are not secure, as attackers can guess them. For instance, perpetrators have a nearly 20% chance of guessing the favorite food of English-speaking users on the first try.
- Difficult answers are not as user-friendly, making them less convenient than popular 2FA methods. So, if you choose secure ones, you might forget them over the years.
- Google also concluded that faking answers to security questions is not a safe practice. It can increase the chances of forgetting the correct answers. Additionally, people might choose answers as jokes or accidentally pick the most commonly used ones.
Some things to consider when setting security questions:
What are the chances of an attacker finding the answer online?
It is a liability if you have publicly shared the personal information used in security questions. Anyone can retrieve it and attempt to take over your accounts.
What are the chances an attacker can guess the answer?
National characteristics or general tendencies can help criminals guess answers to security questions. Thus, consider whether your chosen answer could be popular in your region.
Should you provide honest answers to security questions?
Providing fake answers to a security question has its pros and cons. Bogus answers mean attackers won’t find them online, as you will likely provide accurate responses elsewhere. However, it also means you can forget the fake answer.
Should you add one security question or multiple ones?
Some services let you set several security questions. These additional obstacles minimize the chances of an unknown attacker answering each question correctly.
However, 3-4 questions prolong the login or password recovery process. Furthermore, users are in danger of forgetting one answer and losing access to their accounts.
Ditch security questions: account protection alternatives
Using a security question on accounts is no longer the go-to authentication method. Even if you use them, they should accompany other account protection strategies. However, security questions can be an option if a service does not support 2FA.
- Create strong and unique passwords. Each account should have a dedicated password.
- Use 2FA or MFA. Two-factor authentication can facilitate secure logins in a much more convenient way. It generates temporary codes that serve as second passwords to your account.
- Do not provide unnecessary information on your profile. A service should know as little about you as possible. For instance, some personal details can be unnecessary and simply present more dangers in case of data breaches.
- Add a backup email address or phone number. Restoring passwords when you lose access to your main email account can be a pain. So, add backup information to restore lost access without security questions.
- Store passwords in password managers. These applications can protect devices and keep passwords safe.
- Install a Virtual Private Network. A VPN is a tool that can help you add another layer of security to your accounts. It is specifically helpful during login processes, ensuring that the information transfers happen via secure connections.