Have you ever forgotten the password to one of your online accounts and clicked on the “Forgot password?” link in order to reset your password?
If so, you might have been prompted to input the answer to the security question(s) you created when you opened the account.
Security questions are intended to identify you as the legitimate account owner in the event that you forget your password and need to reset it.
What’s more, they are also sometimes used as a second level of security to augment the security provided by the password. If you can’t answer the security question(s), you won’t be allowed to log in to the account, even if you know the password.
The concept is a good one, but if used incorrectly it can leave your account wide open to hackers and scammers.
How so? Well, lets look at an example:
A common security question that many people choose is “What is your mother’s maiden name?”
If you think about it, there are probably dozens (if not hundreds or even thousands) of people who know the answer to that question.
Just think about all the family members, friends, friends of friends, co-workers and even casual acquaintances that might happen to know who your mother’s parents were.
What’s more, even a total stranger can sometimes do a simple Google search and discover a lady’s maiden name simply by reading an online obituary.
The same vulnerability applies to other types of security questions as well, such as “What is your youngest nephew’s name?” or “What is the name of the first school you ever attended?”
As you can see, security questions can be absolutely useless when it comes to serving their intended purposes if used incorrectly.
By now you’re probably wondering how to use them correctly, right?
Well, the answer is simple: LIE!
I know, lying is a bad thing, but in this case you need to think of it as a means of thwarting potential crooks, not deceiving someone who has a legitimate interest in the veracity of the answer to one of their questions.
Here’s what I recommend you do when setting up a security question for future use: Choose a common question, but select an answer that has absolutely no actual relevance to that question.
For example, if you choose to answer “What is your mother’s maiden name?”, choose an answer like “LittleRedDrummerBoy”. Notice that I left out the spaces between the words.
Of course I realize that remembering to answer “LittleRedDrummerBoy” or any other bogus answer in response to a query regarding your mother’s maiden name can be difficult, but it doesn’t have to be.
Simply use the same security question and answer for all of your online accounts. That’s what you would do anyway if you provided the real answers to the questions, right?
Bottom line: Choosing a completely false and non-relevant answer is a great way to make your security questions virtually impossible to guess, even by people who know you really well.
After all, it’s virtually impossible to guess an outright lie to a very specific question, right?
Bonus tip: This post explains how to choose a password that secure, yet easy to remember.