The Blog

How to Avoid the Surprising Risks of Password Security Questions

What makes a question like, "What is your favorite sports team?" a security risk? Isn't answering it supposed to enhance your security? Actually, such questions aren't intended primarily to enhance your security.
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.

Your favorite pet's name can be hazardous to your online security. That's the message security expert Jim Fenton delivered in a talk I recently attended at PasswordsCon.

What makes a question like, "What is your favorite sports team?" a security risk? Isn't answering it supposed to enhance your security? Actually, says Fenton, such questions aren't intended primarily to enhance your security. On the contrary, Websites make you answer them because it gives them a cheap way to be able to reset your account when you forget your password.

And don't mistake a security question for a strong security-enhancing technique like two-factor authentication, which is growing in popularity. In two-factor authentication, besides your password, the second component you supply to prove your identity must be something entirely different, such as a fingerprint or a code that the site sends to your mobile phone.

Why They're Risky

In fact, an answer to a security question can easily be far less secure than a properly chosen password. A piece of information such as the name of your high school, or favorite color, violates several of the rules we are supposed to follow when we choose passwords:

  • It's made up of dictionary words.

  • It's not especially secret (e.g. it's often shared on social networks like Facebook, or known by friends and family).
  • It will be identical across all the web sites at which you use it.
  • Personal information can also be relatively easy for an unauthorized person to obtain:


    Above are some of the ways Fenton showed that someone could track down such personal information as your high school or the hospital in which you were born. And some information that might be not available online could nevertheless be easily guessed by using online lists of favorite baby names, popular car colors, or the most common street names in each of the 50 states.

    Part of the problem with many security questions is that they are designed more to get an answer that's easy to remember than one that's secure. While that approach is understandable, there's still no excuse for such poorly designed questions as "What is your favorite season?" (how many possible answers could there be?), or "Who is the first President you voted for?" (easy to guess from your age). These two examples are drawn from a sometimes amusing collection of actual security questions that Fenton has compiled. He invites you to submit other examples.

    How To Minimize Your Risk

    • Choose the best question. If you're offered a choice of questions, choose one that's less susceptible to guessing or research, while steering clear of weak ones such as your mother's maiden name or your favorite sports team. If you are permitted to make up your own question, consider doing so. But don't make up one that's just as weak. Have it ask for information that you've never shared.

  • Make up an answer. You probably didn't realize this, but you can do what many security professionals do--make up any answer you like to a security question. Web sites don't validate them the way they do other information you enter into forms, such as your zip code or phone number. So, for example, you could say that your favorite sports team is "breakfast" or that the city in which you were married was "tranquility." Just make sure that you use something that you will remember (or store it in a safe for an emergency).
  • Use a password manager. You can avoid having to answer security questions by using a password manager such as Dashlane, LastPass, KeePass, an approach some security pros use. Sure, the password manager might respond to a security question with a meaningless answer like 3%Tk+H2sx_QPb. But who cares, so long as it provides that same answer whenever it's needed? I haven't used any of these three password managers myself to answer security questions, so examine their features, or check out other password managers, and do a trial test of any product you find suitable before using it on any important accounts.
  • Before You Go

    Popular in the Community