Skip to Main Content

Passwords, Two-Factor Authentication, and Security Questions

This guide goes into more detailed looks at passwords, password managers, and two-factor authentication.

The Ups and Downs of Security Questions

Security questions on the surface add another layer to the login process and do so in a way that is less "artificial" than passwords (or two-factor authentication). Since these are natural, organic questions then they are supposed to reduce the stress of recalling the answers. "What was your first pet?" is the kind of thing that you might be able to recall even years down the road. While a lot of websites/services used to allow you to write your own security question, these have tended to be more formalized, now, to prevent someone writing something like, "What is on my desk?" and then needing to recall that a year or two later. By having a certain generalized set that changes up slightly from website to website, this gives variety while also limiting them to actual questions that are frequent enough in the users' memories to avoid loss of accounts due to issues in recalling the answers. 

The problem with them lies in more or less everything that makes them good. According to a 2012 StumbleForward Article, the 10 most common questions were (and things haven't gotten particularly better for sites that use them): 

  • What Is your favorite book?
  • What is the name of the road you grew up on?
  • What is your mother’s maiden name?
  • What was the name of your first/current/favorite pet?
  • What was the first company that you worked for?
  • Where did you meet your spouse?
  • Where did you go to high school/college?
  • What is your favorite food?
  • What city were you born in?
  • Where is your favorite place to vacation?

Now, take a moment to think about your Facebook/Twitter/Instagram/Youtube/Blog postings. How many would I, or some stranger, be able to readily guess after spending a couple of hours seeing your online, publicly viewable information? A post about visiting home might expose a street address (and city where you were born). Your profile's "about" often includes things like work and education history. Favorite vacation might be obvious from photo albums. Mother's maiden name might not be hard to get if your mother is also on social media. A few things like favorite foods and first pet might take a little bit of digging, but there are plenty of those "Answer these 50 questions about yourself" quizzes where stuff like that is shared, regularly.

Perhaps more troublesome, even if you are an under-sharer by today's standards, security questions do little to stop friends and family from accessing your account. They might very well known mom's maiden name, the street you grew up on, your first pet. In cases where there is some issue with family members, or issues with (ex-)friends, security questions might not be enough to stop someone from getting into your stuff. 

The Main Tip About Security Question Answers: "Lie"

One solution to fix the problem with security questions (and maybe the only real solution for accounts that require them) is to "lie". What does this mean? Essentially, do not use your real world data to answer the questions, instead use:

  • Made up data that you can easily recall (fake pet name, fake street address)
  • Some other word/phrase entirely (again make sure you can easily recall it)
  • A password

In the case of the first suggestion, it would work something like this. Come up with a name that might be a pet's name but is also going to be pretty distinct from any common pet name (no "Spot" or "Princess" in other words). In this case, let's just use something like "Matchbook". In any question that asks you about a pet, use "Matchbook" (no, don't actually use Matchbook, but whatever you came up with). It's unique enough to resonate, but far enough removed from being a logical pet name it is not easy to guess. Do the same for your mom's maiden name (maybe use a fictional character's last name), street address (maybe look up the address to a favorite restaurant or a landmark if you want to keep it "real"). That kind of thing. 

For the other two, you can look at some of the suggestions about randomly generating passwords. Those techniques can be modified. Of course, with more random answers you might want to find a way (such as a Password Manager) to keep track of them, so you don't get caught out trying to recall the name of your favorite fiction character is FzoHq8e)4MTvX#gB9W7.