Helping people with computers... one answer at a time.

Password Recovery Questions are a cornerstone of much internet security. I'll look at what they are, how they fail, and what you can do.

What does it mean when a job application requests a "Password Recovery Question" as well as "Password Recovery Answer"? (in addition to the other password)?

Password recovery questions, also called security questions or secret questions and answers, are a security measure that is used to verify you are the legitimate owner of an online account of some sort.

Apparently in filling out your job application you're setting up some kind of online account. More commonly we see recovery questions associated with email accounts, banking accounts and even social media accounts like Facebook.

I'll look at how they work, when they're needed, how they fail, when you can make up your own and what to do if you can't.

How Password Recovery Questions Work

The idea is very simple - when you establish your account you provide an answer to a question of a somewhat personal nature; ideally a question that only you would know the answer so. That answer is recorded, and should the account provider ever need a way to confirm that you are the legitimate account holder they ask you that question, and if your answer matches what you originally entered then you "pass".

"... they ask you that question, and if your answer matches what you originally entered then you 'pass'."

Usually when you set up your account you're given a set of stock questions to choose from; things like "What was your mother's maiden name?", "What was your favorite childhood pet?", "What was your high school mascot?" and so on. You choose the one that you want to use for whatever reason, and that's the one that will get asked should it ever be needed.

Some account providers will actually have you specify several questions. When the time comes to use them they may select one of the ones you set up at random, or they may insist you answer them all correctly.

When Password Recovery Questions Are Used

The single most common use for password recovery questions are, not surprisingly, to recover or reset your password.

The scenario is what you might expect: you forget your password so you click the "I Forgot My Password" link on the account sign-in page. The service then asks you your account recovery questions and if you get them right you're allowed to set a new password.

Some services will require additional security measures - perhaps answering those questions correctly triggers a password reset email to the account email address of record. Perhaps other steps are involved. But the basic idea is simply that answering those questions correctly provides additional evidence that you are you: you are the person who set up the account and hence owns the account.

Password recovery is not the only time that these questions might be used: any time a service wants additional verification beyond your password that you are you, it might ask. Occasionally the system detects what it might think is "suspicious behaviour", other times it's as simple as having cleared cookies that provide additional validation to the system.

How Password Recovery Questions Fail

The single biggest failure? Forgetting the answers.

By far.

This surprises me too, but people regularly create accounts and evidently put in nonsense answers to the password recovery questions. Perhaps they're in a rush and don't want to take the time. The problem is that when they need to recover their password and can't answer the questions they are totally and completely out of luck.

Lesson: don't forget the answers.

The second most common failure relates to the questions themselves: they're not as secure as you might think.

It's not hard to figure out my mother's maiden name. I'd be surprised if anyone knew the name of my favorite childhood pet, but it's not hard to figure out what High School I went to and from that determine the mascot.

In short: password recovery or "security" questions are rarely very secure.

r00t password
image by .schill on Flickr.

Making Your Own Secret Question

It's better to be able to make up your own secret question. One that you can make up in such a way that no one but you could ever possibly know the correct answer, and that you always will.

The problem is that it's actually very rare to be allowed to make up your own question. Your example is the exception. Normally, as I said, you choose from a set of pre-determined questions only and cannot make up your own.

If you are allowed the option to make up your own question, use it. Make up a question that only you can know the answer to - it doesn't even have to make sense! "What's the difference between a pencil?" is a great password recovery question as long as you and only you will always remember that the answer is "Godzilla".

More commonly people choose questions that make more sense and actually relate to their answers. The important thing is that it be a question that only you can answer.

Making Your Own Secret Answer

Even if you can't make up your own question, there's nothing that says your answer has to make sense. The only things that matter are that a) only you know the answer and b) you will always know the answer.

That's it.

The system isn't checking to see if your answers "make sense", what they're checking is that when they ask you the question the answer you give is the same as whatever you gave when you set it up.

The computer behind it all doesn't know that "Jack Sparrow" isn't a possible mother's maiden name, or that it's a rare high school that has "Toilet Bowl" as its mascot. And as long as no one else knows those are the answers you give and you always remember them then it doesn't matter in the least that they make no sense.

The answers don't have to make sense.

They just have to match.

Article C4624 - November 21, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

14 Comments
Ian Skinner
November 23, 2010 10:41 AM

I just wish there was some standard. I dislike sites that try to be more secure by asking *ONLY* things like "my favorite book", "color', "place to take a vacation".

Those are not set things, and if it is a site I only visit on a semi-annual basis or less, there can be real problems for me forgetting both my password AND what my favorite book was a year or two ago.

For the same reason, I've never tried non-sense answers. I wonder, would it be a bad practice if I give the same nonsense answer to EVERY question on EVERY site?

voxpop
November 23, 2010 10:57 AM

how about the same answer for all security questions..ie joe that way you really don't have to remember anything well except 'joe' of course.

Gabe
November 23, 2010 11:15 AM

The first time I encountered a security question it was one that only lets you choose from a list of like 5 or 6. I got mad because I live in a small town and there are at least a dozen people in my life that could easily answer any of those 5 questions. I know the probability is low for something like that to happen, but hey it's far more likely that they'll guess that answer then them guessing my password.

As for using the same answer on all sites...that's been my solution and it's better than trying to use the same password. Once I tried to develop a "financial password" for myself and it was a good one. Letters, numbers, special characters and length. It was good until I tried to use it at more than one site. Most sites have some type of password policy and it's nearly impossible to use a good, cryptic password on multiple sites. Grrrr.

ausGeoff
November 23, 2010 12:15 PM

@ Gabe

"I live in a small town and there are at least a dozen people in my life that could easily answer any of those 5 questions"

You don't have to give "correct" answers that's the point.

For example, if one of the questions asks for your grade school, you might answer 'ambulaxce' or your mother's maiden name might be 'dixosaur' or your first pet's name could be 'accommodatiox'. (Note the common x for n substitution they're not in a dictionary.) And obviously don't use 'Williamtown', 'Jones' or 'Rusty' all too easy.

Just be imaginative!

Fishplate
November 23, 2010 12:18 PM

Most sites have a similar list, so I have a standard nonsense answer for "maiden name", "favorite pet" and so forth, none of which are based in reality. Nothing beats my cheat sheet, though - every time I generate a password or answer, I put it in a handwritten file in a safe place.

And vivek, your yahoomail password is "I'm asking this in the wrong place".

Andrew O'Thinny
November 23, 2010 2:07 PM

"The single biggest failure? Forgetting the answers. - By far. - This surprises me too"

Why does it surprise you? I think you're missing the point. I don't forget the answer because I entered a nonsense answer, but because the question was a nonsense question - one that simply doesn't have a unique or memorable answer for me.

Favourite pet? Didn't have one. First teacher? Can't remember. Favourite movie? I have lots, but in a few weeks time I'm not going to remember which particular one I chose as my favourite today.

Unless there is an opportunity to define your own question, the system is deeply flawed.

My surprise comes from the fact that it's so important, and people apparently don't understand just how important it is or they would pick something that they would make absolutely sure they could remember - regardless of whether it made sense or not.
Leo
24-Nov-2010

Bob
November 24, 2010 3:34 AM

You could follow Dogbert's technical advice about passwords.
Client: "Help. When I type my password, the computer replaces whatever I type with asterisks"
Dogbert: "Then change your password to all asterisks"

Chris D.
November 24, 2010 4:55 AM

I store all my passwords and secret questions in an encrypted file on my computer with a backup in Dropbox. The only password I need to remember is the one to open TrueCrypt, and that is one that would be nonsense to everyone but myself, and one that I will never forget.

Julian Adams
November 24, 2010 8:01 AM

As one reader pointed out, there are others who would know the answer to at least some of your security questions. For this reason, I always answer the questions incorrectly, but I always remember the answers I gave.
For example, if asked for my mother's maiden name, I answer instead my grandmother's maiden name. There are others who would know this, too, but what they don't know is that I answered it incorrectly.

David Nuttall
November 25, 2010 12:47 PM

One the biggest things I have about these questions is that most of the information that these questions ask about is things that my close friends know about me. That is fine so long as these people are my true friends. This can become a great liability if one of these friends becomes something else, such as spouse to ex-spouse. Now, with his/her intimate knowledge of you and your family can be used to get access to places you no longer want to let the person get access to ("Now, what did they call his/her grandfather? Oh, yeah, Mr. Graveson! Ok, Mother's maiden name is..."). Changing your password to keep them out does not prevent them access when they can just access these stupid questions, added in the name of security, which actually open your account to abuse, and in many cases there is nothing you can do about it, but lie, which makes it harder to remember and for many is unethical.

bill
November 30, 2010 11:31 AM

I am amazed that people are still commenting that the questions do not have an answer for the (first pet) or are all things that their friends know. They missed the obvious comment in the article "there's nothing that says your answer has to make sense".

It doesn't have to make as much sense as "Evelyn Treacher" for first pet. (google her name and pet), a "pet" name for another person, or ANYTHING that you can remember.

Gabe
December 1, 2010 7:18 AM

@ausGeoff

You give a great suggestion which Leo mentions in the article. I agree and it's something I've been doing. I have one nonsense answer to all security questions. The problem is, I've been on the Internet for over 10 years now and I've answered dozens of security questions. Typicaly, I choose what my favorite movie is and you can bet if I ever set up a Facebook account, I won't be posting any of my "favorite" things there...but I digress. My problem now is, when I'm asked to answer my security question I don't remember if I used the real answer or the nonsense answer. With only 3 guesses available on most sites, that gets a little frustrating. Fortunately, I don't see it that much but when I do see it, I find myself getting frustrated with the whole process.

In my opinion, no solution is flawless. For example, if this hasn't happened yet, it will. A site will require us to answer 2 or 3 questions (some already do that) and if you put the same answer in, it will deny us and say, "two answers can't be identical". The day that happens to me, I'm going to contact that webmaster and he'll get an earful.

Tony
December 2, 2010 6:28 PM

Some sites use the security questions as one of the options for password recovery. The other options I've seen are alternative email address, or cellphone number. Hopefully a person who gains access to one of your email accounts wouldn't gain access to all, unless you use the same password for all. Therefore if you can successfully ask for a password re-set to be sent to your alternative email address, you won't be prompted to answer your secret questions.

Marlene moretta
December 27, 2011 9:41 AM

everytime i try to log in they keep asking me for my password , when i put it regect,how can i make it work ?

If it's rejecting your password, then your password is wrong. Perhaps your account has been hacked into and the password changed.
Leo
27-Dec-2011

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.