Should You Ditch Account Security Questions?
Articles about creating strong passwords and using other verification methods are everywhere. Biometrics and two-factor authentication have been the main topics of discussion in recent years. But what many users don’t think or read about are the dull security questions they need to choose during the sign-up process.
With today’s culture of oversharing, anyone can find a lot of personal information about others online. At least some of it can help to guess answers to popular security questions.
Is it even safe to use them anymore? Let’s learn more about best practices when choosing and answering your account recovery questions.
Security Questions: Then and Now
Security questions used to be the most popular password recovery method. In the old days, when social media wasn’t as prevalent as it is today, it made sense to use personal information to secure one’s account.
But with the rise in popularity of social media, users share personal information for everyone to see. Nowadays, it can be quite easy to discover one’s old home address, their mother’s maiden name, or their third-grade teacher’s name. Performing a quick social media search can be enough to discover all that and more.
Hackers Love Security Questions
There are two main ways a hacker can score the answers to one’s security questions:
- Data breach
- Research and guessing
Data breaches have become a daily occurrence. Hackers steal passwords and carry out credential stuffing attacks on many popular platforms. Often, they take not only passwords but also answers to one’s security questions. Then they can hack accounts on a massive scale.
Guessing can also be useful in obtaining the answers to one’s security questions. Google has reported that hackers have around a 19.7% success rate at answering generic security questions. Choosing one’s favorite food or birthplace as an account recovery question is the worst way to go.
On the other hand, research improves the success rate of solving security questions. But such attacks are usually more targeted, and thus even more dangerous. Social media, such as LinkedIn, Instagram, Facebook, and Twitter, often holds more information than users are aware of.
Many people don’t consider the fact that they might be exposing the answers to their security questions online. These are some of the security questions that are the easiest to crack thanks to social media:
- Where did you meet your spouse?
- What is your mother’s maiden name?
- What is the name of your first pet?
- Which elementary school did you go to?
- What is the name of your hometown?
- Who is your favorite artist?
- When is your anniversary?
- What is your father’s middle name?
- What is your favorite color?
Recommendations For Security Questions
As discussed, security questions aren’t as secure as other authentication methods. You’re still better off using two-factor authentication, for example.
But many sites still use security questions. Thus, it’s helpful to learn more about best practices when it comes to answering your security questions. There are certain things you can do to ensure maximum security. Here are the top recommendations.
1. Use Lies as Answers
It is probably one of the best ways to ensure that no one can guess or discover your answers. You can use false information to answer your security questions or enter random sentences and quotes. It is a double-edged sword, though. By using fake answers, you’re more likely to forget them. Luckily, there is a solution for that as well – using a password manager to store your answers.
2. Use a Password Manager to Store Answers
Password managers are a great tool, not only for storing passwords but also for storing responses to one’s security questions. But make sure to install a password manager with zero–knowledge encryption. Then you are the only one that has the keys to your saved information, which adds another vital layer of security.
3. Use a Mix of Characters
Lastly, if you don’t want to lie or use a password manager, you can still use truth, but with a little twist. Instead of writing the answers in a conventional way, use a mix of uppercase and lowercase letters and symbols instead of spaces. However, it only works with security questions that are case-sensitive. Some software may not be able to differentiate uppercase from lowercase.
Nowadays, there are a lot of new password recovery methods. But a lot of websites still use security questions for recovering one’s password. Security questions have gotten a lot of bad rep in recent years, but if answered cleverly, they can protect your accounts.