Password Tip #4: Security Questions

Security questions seem like a really good idea. They are this little backdoor just in case you forget your password — they let you get back into the system.

What was your first pet’s name?

Where were you married?

What is your mother’s maiden name?

With the rise of social media sites and online databases this information is EXTREMELY easy to come by.

Using these security questions can greatly undermine your online security. Sarah Palin’s yahoo email was “hacked” this way in 2008. The would be hacker looked up biographical details and used these to request a password recovery. Wizo! Bango! In we go! The average computer literate 10 year old is probably smart enough to pull this off.

I would recommend treating security questions like passwords. Treat them with the same respect. Maybe even more. They are less likely to be stored in a secure manner than passwords.

If you’ve read my previous tip on writing down passwords, I would use that technique for security questions. Put the security questions in your password manager and use unique random answers for each question/site.

What is your mother’s maiden name?

2D9XtS~zd^sX_p]vrN!p

That’s my answer!

If you don’t want to use a password manager, then I would suggest having three standard answers that are in fact passwords (and different than your real passwords). Divide your sites/applications into:

  • Financial
  • Sensitive
  • Not Important

Write these answers down (probably with your other passwords) and store them in a safe deposit vault or safe designed to hold sensitive documents.

Any email account you can use to perform a password reset to a financial or sensitive system should be treated with the same care.