Helping people with computers... one answer at a time.
Password Recovery Questions are a cornerstone of much internet security. I'll look at what they are, how they fail, and what you can do.
What does it mean when a job application requests a "Password Recovery Question" as well as "Password Recovery Answer"? (in addition to the other password)?
Password recovery questions, also called security questions or secret questions and answers, are a security measure that is used to verify you are the legitimate owner of an online account of some sort.
Apparently in filling out your job application you're setting up some kind of online account. More commonly we see recovery questions associated with email accounts, banking accounts and even social media accounts like Facebook.
I'll look at how they work, when they're needed, how they fail, when you can make up your own and what to do if you can't.
The idea is very simple - when you establish your account you provide an answer to a question of a somewhat personal nature; ideally a question that only you would know the answer so. That answer is recorded, and should the account provider ever need a way to confirm that you are the legitimate account holder they ask you that question, and if your answer matches what you originally entered then you "pass".
Usually when you set up your account you're given a set of stock questions to choose from; things like "What was your mother's maiden name?", "What was your favorite childhood pet?", "What was your high school mascot?" and so on. You choose the one that you want to use for whatever reason, and that's the one that will get asked should it ever be needed.
Some account providers will actually have you specify several questions. When the time comes to use them they may select one of the ones you set up at random, or they may insist you answer them all correctly.
The single most common use for password recovery questions are, not surprisingly, to recover or reset your password.
The scenario is what you might expect: you forget your password so you click the "I Forgot My Password" link on the account sign-in page. The service then asks you your account recovery questions and if you get them right you're allowed to set a new password.
Some services will require additional security measures - perhaps answering those questions correctly triggers a password reset email to the account email address of record. Perhaps other steps are involved. But the basic idea is simply that answering those questions correctly provides additional evidence that you are you: you are the person who set up the account and hence owns the account.
Password recovery is not the only time that these questions might be used: any time a service wants additional verification beyond your password that you are you, it might ask. Occasionally the system detects what it might think is "suspicious behaviour", other times it's as simple as having cleared cookies that provide additional validation to the system.
The single biggest failure? Forgetting the answers.
This surprises me too, but people regularly create accounts and evidently put in nonsense answers to the password recovery questions. Perhaps they're in a rush and don't want to take the time. The problem is that when they need to recover their password and can't answer the questions they are totally and completely out of luck.
Lesson: don't forget the answers.
The second most common failure relates to the questions themselves: they're not as secure as you might think.
It's not hard to figure out my mother's maiden name. I'd be surprised if anyone knew the name of my favorite childhood pet, but it's not hard to figure out what High School I went to and from that determine the mascot.
In short: password recovery or "security" questions are rarely very secure.
image by .schill on Flickr.
It's better to be able to make up your own secret question. One that you can make up in such a way that no one but you could ever possibly know the correct answer, and that you always will.
The problem is that it's actually very rare to be allowed to make up your own question. Your example is the exception. Normally, as I said, you choose from a set of pre-determined questions only and cannot make up your own.
If you are allowed the option to make up your own question, use it. Make up a question that only you can know the answer to - it doesn't even have to make sense! "What's the difference between a pencil?" is a great password recovery question as long as you and only you will always remember that the answer is "Godzilla".
More commonly people choose questions that make more sense and actually relate to their answers. The important thing is that it be a question that only you can answer.
Even if you can't make up your own question, there's nothing that says your answer has to make sense. The only things that matter are that a) only you know the answer and b) you will always know the answer.
The system isn't checking to see if your answers "make sense", what they're checking is that when they ask you the question the answer you give is the same as whatever you gave when you set it up.
The computer behind it all doesn't know that "Jack Sparrow" isn't a possible mother's maiden name, or that it's a rare high school that has "Toilet Bowl" as its mascot. And as long as no one else knows those are the answers you give and you always remember them then it doesn't matter in the least that they make no sense.
The answers don't have to make sense.
They just have to match.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.