Helping people with computers... one answer at a time.
Password Recovery Questions are a cornerstone of much internet security. I'll look at what they are, how they fail, and what you can do.
What does it mean when a job application requests a "Password Recovery Question" as well as "Password Recovery Answer"? (in addition to the other password)?
•
Password recovery questions, also called security questions or secret questions and answers, are a security measure that is used to verify you are the legitimate owner of an online account of some sort.
Apparently in filling out your job application you're setting up some kind of online account. More commonly we see recovery questions associated with email accounts, banking accounts and even social media accounts like Facebook.
I'll look at how they work, when they're needed, how they fail, when you can make up your own and what to do if you can't.
•
How Password Recovery Questions Work
The idea is very simple - when you establish your account you provide an answer to a question of a somewhat personal nature; ideally a question that only you would know the answer so. That answer is recorded, and should the account provider ever need a way to confirm that you are the legitimate account holder they ask you that question, and if your answer matches what you originally entered then you "pass".
Usually when you set up your account you're given a set of stock questions to choose from; things like "What was your mother's maiden name?", "What was your favorite childhood pet?", "What was your high school mascot?" and so on. You choose the one that you want to use for whatever reason, and that's the one that will get asked should it ever be needed.
Some account providers will actually have you specify several questions. When the time comes to use them they may select one of the ones you set up at random, or they may insist you answer them all correctly.
When Password Recovery Questions Are Used
The single most common use for password recovery questions are, not surprisingly, to recover or reset your password.
The scenario is what you might expect: you forget your password so you click the "I Forgot My Password" link on the account sign-in page. The service then asks you your account recovery questions and if you get them right you're allowed to set a new password.
Some services will require additional security measures - perhaps answering those questions correctly triggers a password reset email to the account email address of record. Perhaps other steps are involved. But the basic idea is simply that answering those questions correctly provides additional evidence that you are you: you are the person who set up the account and hence owns the account.
Password recovery is not the only time that these questions might be used: any time a service wants additional verification beyond your password that you are you, it might ask. Occasionally the system detects what it might think is "suspicious behaviour", other times it's as simple as having cleared cookies that provide additional validation to the system.
How Password Recovery Questions Fail
The single biggest failure? Forgetting the answers.
By far.
This surprises me too, but people regularly create accounts and evidently put in nonsense answers to the password recovery questions. Perhaps they're in a rush and don't want to take the time. The problem is that when they need to recover their password and can't answer the questions they are totally and completely out of luck.
Lesson: don't forget the answers.
The second most common failure relates to the questions themselves: they're not as secure as you might think.
It's not hard to figure out my mother's maiden name. I'd be surprised if anyone knew the name of my favorite childhood pet, but it's not hard to figure out what High School I went to and from that determine the mascot.
In short: password recovery or "security" questions are rarely very secure.
image by .schill on Flickr.
Making Your Own Secret Question
It's better to be able to make up your own secret question. One that you can make up in such a way that no one but you could ever possibly know the correct answer, and that you always will.
The problem is that it's actually very rare to be allowed to make up your own question. Your example is the exception. Normally, as I said, you choose from a set of pre-determined questions only and cannot make up your own.
If you are allowed the option to make up your own question, use it. Make up a question that only you can know the answer to - it doesn't even have to make sense! "What's the difference between a pencil?" is a great password recovery question as long as you and only you will always remember that the answer is "Godzilla".
More commonly people choose questions that make more sense and actually relate to their answers. The important thing is that it be a question that only you can answer.
Making Your Own Secret Answer
Even if you can't make up your own question, there's nothing that says your answer has to make sense. The only things that matter are that a) only you know the answer and b) you will always know the answer.
That's it.
The system isn't checking to see if your answers "make sense", what they're checking is that when they ask you the question the answer you give is the same as whatever you gave when you set it up.
The computer behind it all doesn't know that "Jack Sparrow" isn't a possible mother's maiden name, or that it's a rare high school that has "Toilet Bowl" as its mascot. And as long as no one else knows those are the answers you give and you always remember them then it doesn't matter in the least that they make no sense.
The answers don't have to make sense.
They just have to match.
Article C4624 - November 21, 2010
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
One the biggest things I have about these questions is that most of the information that these questions ask about is things that my close friends know about me. That is fine so long as these people are my true friends. This can become a great liability if one of these friends becomes something else, such as spouse to ex-spouse. Now, with his/her intimate knowledge of you and your family can be used to get access to places you no longer want to let the person get access to ("Now, what did they call his/her grandfather? Oh, yeah, Mr. Graveson! Ok, Mother's maiden name is..."). Changing your password to keep them out does not prevent them access when they can just access these stupid questions, added in the name of security, which actually open your account to abuse, and in many cases there is nothing you can do about it, but lie, which makes it harder to remember and for many is unethical.
Posted by: David Nuttall at November 25, 2010 12:47 PMI am amazed that people are still commenting that the questions do not have an answer for the (first pet) or are all things that their friends know. They missed the obvious comment in the article "there's nothing that says your answer has to make sense".
It doesn't have to make as much sense as "Evelyn Treacher" for first pet. (google her name and pet), a "pet" name for another person, or ANYTHING that you can remember.
Posted by: bill at November 30, 2010 11:31 AM@ausGeoff
You give a great suggestion which Leo mentions in the article. I agree and it's something I've been doing. I have one nonsense answer to all security questions. The problem is, I've been on the Internet for over 10 years now and I've answered dozens of security questions. Typicaly, I choose what my favorite movie is and you can bet if I ever set up a Facebook account, I won't be posting any of my "favorite" things there...but I digress. My problem now is, when I'm asked to answer my security question I don't remember if I used the real answer or the nonsense answer. With only 3 guesses available on most sites, that gets a little frustrating. Fortunately, I don't see it that much but when I do see it, I find myself getting frustrated with the whole process.
In my opinion, no solution is flawless. For example, if this hasn't happened yet, it will. A site will require us to answer 2 or 3 questions (some already do that) and if you put the same answer in, it will deny us and say, "two answers can't be identical". The day that happens to me, I'm going to contact that webmaster and he'll get an earful.
Posted by: Gabe at December 1, 2010 7:18 AMSome sites use the security questions as one of the options for password recovery. The other options I've seen are alternative email address, or cellphone number. Hopefully a person who gains access to one of your email accounts wouldn't gain access to all, unless you use the same password for all. Therefore if you can successfully ask for a password re-set to be sent to your alternative email address, you won't be prompted to answer your secret questions.
Posted by: Tony at December 2, 2010 6:28 PMeverytime i try to log in they keep asking me for my password , when i put it regect,how can i make it work ?
27-Dec-2011