Site icon The Mac Security Blog

How to Choose and Answer Security Questions

To help you keep your online accounts safe, most web and cloud services have you answer a number of security questions. You are asked a few things that you know, and that you can remember—such as your first pet’s name, or your mother’s maiden name—so you can access your account and prove your identity, if you forget or lose your password.

Yet sometimes these security questions are too simple, and the answers you provide may be things that people can find out about you far too easily in a web search or on social media. You may tweet a photo of your first dog, and mention that his name was Rex. You may post on Facebook that you met your second grade teacher, Mrs. Harrison. And your mother’s maiden name may be so widely used that anyone who hacks into a large database of user information could find it.

Fortunately, there are ways to get around this. This post explains how to choose the best security questions you should answer, and how to securely answer them so no one can figure them out.

Asking the right security questions

A few years ago, a movie called Now You See Me told a tale of how four magicians, called the Four Horsemen, hacked someone’s bank account, and gave the money away in a complex Robin Hood scheme. The way they hacked the account was pretty simple: they found the answers to the security questions that the man had used. You can see the technique in this clip on YouTube:

His first pet’s name, his uncle’s name, a few careful bits of social engineering allowed the Four Horsemen to access the account and abscond with the money. (RELATED: The 6 Most Common Social Hacking Exploit Techniques)

This is a bit extreme, but dial things down to your scale. Someone may want to get into your email account to spoof your friends, or they may want to get into your PayPal account to steal your money. While your user name and password are important, security questions allow people to get access to an account when they have “forgotten” one or both of those key tokens. And Apple even asks you two of these questions when you log in to their Apple ID website, even though you enter your user name and password.

Some sites have a set of required questions, and others offer a choice. Apple requires that you select three questions, and for each one, they give you several options:

As you can see above, a couple of these questions are pretty basic, and could be found out by way of some savvy social engineering, or simply by browsing your Facebook timeline. Best friend and first pets are way too common—don’t ever use those.

The first thing you learned to cook could be a good idea, but be careful when you’re on a date and you talk about your cuisine skills. The first film you saw in a theater? I don’t remember that, and I bet most people don’t. The first place you flew on a plane may be something you’ve shared on social media, as is your favorite elementary school teacher.

In a nutshell, these security questions are designed to be memorable, but not necessarily secure. The options for the other two questions are such that you should be able to find one safe question for each of the three required. However, questions like What is the name of your favorite sports team? are just too banal; anyone who’s a big sports fan will have tweeted, or posted to Facebook or Instagram about that many times. And for some of these questions, even if you don’t mention them online, your kids might. (RELATED: 8 Things to Teach Your Kids Never to Give Out Online)

The best answers to security questions

So what are the best answers to give for security questions? It’s essential that we give answers that we remember, or that we can access when we need to. There are ways to do this to make sure no one can figure them out.

The first thing you can do is change the spelling of some of your answers. This is a good idea, as long as you can remember the changes you’ve made. So if your first car was a Mazda, you could spell the answer Mazzzzda; if your first pet was Snuffles, you could spell it Snnnufffles. These duplicated letters won’t be too hard to forget, and will protect you from idle hackers.

The next thing to do is to choose questions for which you don’t have answers. For example, I’m not a big fan of sports, so I could choose the favorite sports team and just make up a team, say the Passaic Redheads, or the Marin County Whales. As long as you can remember the answer, this is a great way to use something that’s not complicated but that doesn’t actually exist.

eBay has a good solution for this. Along with the banal questions, they offer one option that is Choose your own phrase. You can therefore create at least one question that no one can figure out, since they won’t know the question. Think of any combination of words that are memorable to you.

Another option is to lie. Yes, that’s right, just don’t tell the truth. For example, the make of my first car? Ed Norton. My favorite book? Ralph Kramden. The first album I purchased? McGanahan Skjellyfetti. (RELATED: Did Jennifer Lawrence’s Naked Photos Leak Out Because She Told the Truth? Laying Can Protect your iCloud Account)

Or why not go even further? If you don’t use a password manager, you should. You can store the answers to these questions in secure notes in these apps, which allows you to use any answer you desire. Your first car? How about “itsszafZaHh83i.” Your favorite sports team? “Thieves-Positive-Extra.” Use your password manager to generate a password, which you can then look up when you need it. No one will ever crack your security questions that way.

These security questions are important, since they help you get back into your account if you’ve forgotten your password. But the best strategy is to never forget the password (use a password manage for that), and don’t use easy to figure out security questions. As you saw in the clip from Now You See Me, giving up this information could cost you millions of dollars.

Have something to say about this story? Share your comments below! 

Share this: