Helping people with computers... one answer at a time.

Secret questions used to recover lost or forgotten passwords are a common weak link in account security. I'll describe my hack-proof approach.

Account secret questions, more correctly referred to as security questions or password recovery questions, are often the weakest link in your overall security.

So often, in fact, that many compromises can be traced to an individual gaining access to the victim's account simply by guessing, or worse, knowing the answers to common security questions.

Forgetting the answers to security questions is also a very common reason that once-lost accounts often stay lost forever.

Let's review how security questions get used by hackers to gain access to your accounts, and one approach you can use to stop them cold.

How Security Questions Work

Security questions are intended to be a second level of information that can be used should you ever lose or forget your password. In many ways, they're just like passwords themselves.

When you set up your account the service will ask you one or more security questions to which you must provide an answer. That is then recorded and kept with your account. Common security questions ask you to provide your mother's maiden name, your high school mascot, your favorite pet, the model of your first car, and so on. The idea is that, like your password, these are things that only you would know; knowing the correct answers implies that you are indeed you.

"'Don't forget that the answer applies no matter what approach you take."

When you lose your password, many systems simply ask you at least one of your security questions. After you answer them correctly, the system assumes that you are the rightful account holder and proceeds to reset or assign a new password to you.

In theory, it's not too bad of a system.

In practice, though, it's not that good of a system at all.

How Hackers Use Security Questions to Gain Access to Your Account

Take a look at those common security questions again:

  • Your mother's maiden name
  • Your high school mascot
  • Your favorite pet
  • The model of your first car
  • ...

Or more specifically, recall the security questions that you were asked to create when you last set up an online account of some sort.

Now, ask yourself two questions about the answers to those questions:

  • Are you really the only person on the planet who knows the answers to those questions?

  • Are you absolutely positive that the answers to those questions can't be found anywhere by someone who might be looking?

I think you'll be surprised. I know I was in doing even just a little research on myself.

With the incredible rise in popularity of social media, folks are sharing more about themselves than ever before. Often, what you share publicly online can be used or combined to quickly and easily determine the answers to your secret questions by an experienced hacker.

And it's not just what you share; remember that I also asked if you were certain that no one else knew the answers. I'm betting that more people do than you realize. And all that it takes is for one of them to innocently use that information in some way. "I remember when we were young; Mary just loved her first cat. I think she called it Jasper....".

It doesn't take much to open the door just a crack.

And a crack is all that's needed.

A Hack-Proof Approach to Security Questions

There's nothing that says that the answers you provide when setting up your account have to make sense.

All that matters is that you provide the same answer when you're asked them again.

That's all.

That realization opens up a technique that is virtually hack-proof: make up nonsense answers.

  • Your mothers maiden name? Headphones.
  • Your high school mascot? Sarcasm.
  • Your favorite pet? TrueBlood.
  • The model of your first car? 1XapJyL8.
  • ...

You get the idea. Don't answer the question with the truth; make something up. Make it as unrelated to the question as possible. In fact, as in the last example above, you can even make it another secure password.

There's no way that anyone will know or guess the answers.

You do need to take extra care, however, in one important aspect.

Don't Forget the Answers

One of the advantages of answering the secret questions correctly is that these are things you know and are therefore easy for you to remember. The disadvantage, as we saw, is that the answers are often easy for others to know or guess, and therefore not as secure as we might think.

Even when people think they answer the questions correctly, I'm continually surprised at the number of people that permanently lose access to their accounts because they can't recall the answers.

"Don't forget the answers" applies no matter what approach you take.

In the case of nonsensical answers, of course, it might take an extra step, such as recording your answers for future reference in a safe and secure location. My solution is an Excel spreadsheet that I keep in an encrypted drive. Other encrypting solutions, including tools like Roboform, AxCrypt, and others, make sense as does writing down the answers and keeping them in a locked and secure place.

If you do use an encrypted solution on your computer, make sure that the data is backed up as well.

Article C4750 - February 26, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

12 Comments
Jim
March 1, 2011 8:27 AM

It's kind of a surprise that people need to be told this, but some of us are less devious than we ought to be. As you said, the key is to not forget, but infrequent use can cause that even if you have a reminder in an encrypted file - you still have to remember where the file is and how to access it.

Another way to keep track is to have a favorite answer you use frequently, such as $u0iveD. Then, leave yourself a reminder, such as "Mom's maiden name - Devious reverse, sub dollar and zero" meaning you take a word (Devious in this case) spell it backwards and substitute $ for the S and 0 for the o. The reminder can be kept available in an unencrypted file, because you know what it means, and others don't.

Phil
March 1, 2011 2:26 PM

I knew that my mother's maiden name was available to anyone who knew where to look. So I [pretty reasonable idea removed to protect the poster] is recorded nowhere but the memories of those who knew her. Sometimes I'll add the number I wore when I played pro football, and a symbol, to make it really tough.

I'm sanitizing the comment because it's just not a good idea to give clues like this on a public website. Smile
Leo
04-Mar-2011

Digital Artist
March 1, 2011 2:53 PM

I hesitate to share this, but here 'tis anyway: I have over 10,000 jpeg images on my hard drive and I have considered "embedding" my passwords in one of them. All these files have similar filenames, consisting of a set of digits which are meaningful only to me. I would camouflage the text and hide it within the image, using very small font size etc, and I would also put several fake passwords in the same picture. And while I am at it, I would do this to a few other pictures, with all fake passwords. Then all I would have to remember is the one file with the real passwords, and which ones are real among the fakes. I would use a 10 to 12 megapixel picture and 8 pt. font, and I think that's about as good as it gets. Any comments?

steven
March 1, 2011 3:15 PM

I am surprised someone else did exactly what I did, lie. Of course if I lose the answers, I am screwed. It is the chance I take. I know sveral people that got married, I know their maiden names.

Mark J
March 1, 2011 9:17 PM

To protect against forgetting passwords, I have a file with all of my passwords and answers to security questions which is protected by a master password. Important: don't forget that password!

That's a pretty reasonable solution, and appropriate warning. I do that, in part at least, using an Excel spreadsheet kept on an encrypted TrueCrypt volume. Master passwords are also typically how tools like Roboform control access to the information they save for you.
Leo
04-Mar-2011

Mike
March 2, 2011 8:35 AM

So, basically, you're talking about "passwords" to remember the passwords. How long before we need passwords to remember the passwords that unlock the passwords? Actually I could remember my passwords just fine if every site didn't have their own rules for generating my password, such as a minimum 16-character password that contains at least one upper-case letter, one lower-case letter, one digit, and no less than two "special" characters, all to block some non-existent brute force hacker. Most sites eliminate you after three, or five at most, failed attempts.

Ken B
March 3, 2011 8:27 AM

I have a file which contains a list of my accounts, along with "hints" about the password. These "hints" are meaningful only to me, but they are enough to help me call the password. For example, I doubt anyone seeing "drugstore 51" would have a clue as to what that meant, as the answer has nothing to do with drugstores, nor does "51" appear in the password.

Ken
March 5, 2011 10:30 PM

The easiest way to remember passwords is use a program like the free program Passwordsafe, that keeps all your passwords in an encrypted file. I now only have to remember one password. Even as senile as I am I can do that.

Glenn P.
March 6, 2011 7:52 AM

The book "Perfect Passwords: Selection, Protection, Authentication"  by Mark Burnett (ISBN-10: 1597490415, ISBN-13: 978-1597490412), devotes an entire section of Chapter 7 to the faults and pitfalls of "Secret Questions" in password recovery, and while the worst practices seem to have abated, much of what is written there remains as relevant today, as it was when it was first written way back in 2006.

By the bye, I myself was a very self-absorbed youth, and I very often find that the "Security Questions" I am offered online have no relevance to me at all! My high school's mascot? My first girlfriend's name? The model of my first car? My first child's first name? The year my grandfather was born?

Well, guess what folks?

I have no idea what  the HS mascot was (or indeed if we even had  one); I never had a girlfriend; I never owned a car; what makes these morons think I ever got laid, let alone had a kid (that's quite an assumption, if you stop to think about it. In fact, I wonder what the gays and nuns think about that question!); and as for my grandfather, he died before I was ever born, so I haven't God's own notion when  he came into the world.

So now  what?!

These so-called "Security Questions" will never  be completely useable, until they can be made 100% relevant to everyone.

Barcillo
March 17, 2011 8:59 AM

I don't know if this also happens with the TrueCrypt volume. But I use a similar aproach using a password protected RAR file where I keep a file that has my passwords. However I have to rememeber to check/delete the temp files after every use, since the encrypted files are unzipped to the temp folder everytime I read them, and sometimes winrar won't delete them after I close it. This is something to be aware of in some protected files.

Phil
August 10, 2012 9:31 AM

My belief now is that the best most secure method of storing passwords is to Write them down on paper - do not store them on a computer file encrypted or otherwise.
I know - but if you think about it how can anyone access the bit of paper - a burglar? - they'll be looking for goodies not a sheet of paper!

thereisnospoon
August 23, 2012 9:14 AM

Sarcasm actually IS my high school mascot.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.