Privacy Tip of the Week: Use Security Questions on Your Accounts

Security, or password recovery, questions are a tool used by online accounts to verify that the owner of the account is who they say they are. It helps users recover forgotten passwords and adds an extra layer of protection to prevent accounts from being hacked. For any account that you can add a security question to, you should. However, not all questions are created equal. Some are easy to guess while others ask for information that can often be found online. To keep yourself protected, here’s what you should know about security questions:

• Why should you use security questions?
• How to use them effectively
• Account security alternatives

Why Should You Use Security Questions?

Not every website uses security questions. However, the ones that do may use them for two main reasons.

• Account security. In order to ensure that you are who you say you are, a website might ask you to answer security questions that are personal to you. This type of policy assumes you are the only person who knows this information and thus no one else should be able to access your account.
• Resetting your password. If you have forgotten your account password, you may need to reset it. Some websites require you to answer security questions before they will email you a temporary password. This is because, while rare, it’s possible that a hacker can gain access to your email account. For example, browsing the web on public wi-fi without a tool like a secure VPN could result in email access being stolen by someone else on that same network. If this occurs, that person could reset account access to all of your accounts linked to that email if no additional security measures are in place. Security questions are one such measure which should help to prevent this from occurring.

How to Use Security Questions Effectively

Choose Something Memorable

A password recovery question is meant to help you get into your account, while keeping hackers out of your account. However, this security measure won’t be very helpful if you forget the answer to the question you set up. For this reason, always choose a question that has a memorable answer, like the name of the first person you kissed or the make and model of your first car.

Pick Security Questions with Unique Answers

The question you set up should require a specific response with only one possible answer. If you choose a question that you can answer in several different ways, you run the risk of forgetting which option you chose. For example, if the question is “what was the name of your grade school,” but you attended multiple grade schools, you might forget which one you picked and therefore not be able to get into your account.

Make Sure the Answer Will Be Consistent

Some security questions ask for answers that can change in the future. For example, questions about your favourite things are notoriously unreliable because those things can change. Your favourite movie, song, colour and food might change from week-to-week let alone from log-in to log-in. If the answer to your chosen question changes, you might not remember what the original answer was.

Use a Question With an Unpredictable Answer

Some security questions run into the issue of being too easy and predictable to guess. For example, some may ask what your eye colour is or what kind of pet you have. There are a few common answers to those questions that can be easily guessed by a hacker trying to get into your account. Choose questions with answers specific to you instead of to huge portions of the population.

Make Your Own Question

Not all online accounts allow you to write your own security question. However, every time you have the opportunity, you should take it. This allows you to write a question that is incredibly specific to you and unlikely to be guessed.

Don’t Use Answers That Can Be Found on Social Media

Our whole lives are on social media. Just make sure your security questions aren’t. If your Facebook page tells people where you live, where you were born, where you work, and what your cat’s name is, don’t use any questions that ask for those answers.

Don’t Use Answers That Are Public Record

If someone can find an answer to a security question in public, governmental records, also avoid using those. For example, a popular question is to ask for your mother’s maiden name. While it seems like it might be difficult to find, a dedicated researcher could find records of her name change after she was married.

Store the Answers

Whether you think you’ll know the answers to your security questions in the future or not, one way to make sure you’ll never be locked out of your accounts is to write your answers down. Use a password manager like KeePass to store them safely on your devices.

Account Security Alternatives

Security questions are a common way to protect your online accounts. However, they might not be the best way. In some cases, the answers are easy to guess (especially for someone who knows you; an ex, friend, family member, or employee with a grudge can do a lot of damage with their knowledge about you), which doesn’t result in improved account security. In other cases, the questions are poorly written and may have multiple responses; if you forget the answer you wrote, or the answer has since changed, you may find your account has become too secure, and you can no longer access it. If an account offers it, you may be able to set up multiple security methods, and then choose which one you prefer to login with each time. Alternatives include:

• Two-factor authentication, in which a one-time code will be texted, emailed, or sent to you with a notification through a verified app. Only the person with this code (which should be you) will be able to access the account.
• Biometrics, in which you use something like a fingerprint or facial recognition to access your account. Try to stick with fingerprint verification, as your fingerprint is entirely unique.
• A strong password. Password authentication is the oldest account authentication method in the books (in fact, it predates the internet by centuries!). While it isn’t without its flaws, a strong password will make your accounts extra secure, especially when used in conjunction with other authentication methods.

Good account security is crucial to ensuring that you remain safe online and off. Security questions are one method to protect your accounts that you should consider using.