Security question and answer tips
Getting to know you (for password purposes)
How many times have you forgotten your password and were asked to answer security questions? This is currently one of the most-used methods of password retrieval and reset. Authentication is done by using a number of questions (mostly personal) to which users are asked to provide answers. This technique is based on the assumption that the question can only be answered by the real user.
It is very important that both questions and answers are challenging enough to provide a real roadblock for malicious hackers. If your security questions to password recovery are breached, in fact, you might have something to do with it. These innocuous-seeming queries could be a weak link that could impair the usefulness of even the most secure passwords.
FREE role-guided training plans
This article provides tips on creating questions and answers to help you keep your accounts secure. The objective is knowing how to create a security question that elicits not-so-obvious responses and answers that are not so easy to guess. An answer to a security prompt that can easily be found through a simple Web or social media search query does not provide any protection for users.
A typical question, for example, asks the user to give their mother’s maiden name. A hacker could easily retrieve that information from any Facebook account, especially those in which people have identified their family members in between friends and/or have an open profile.
Tips for effective security questions
A lot of attention is focused on choosing the right answers, but in reality, choosing the right security questions is the first step in creating a system that better secures passwords.
The first tip, then, is quite obvious. Choose security questions that do not make it too easy for a hacker to guess an answer. Questions like “What is your father’s name,” “which school did you attend” and “what is the model of your current car” are easy to guess as this information is most likely retrievable from any social media profile. Less obvious questions elicit information that is not normally shared openly on the Web, such as “What was the last name of your favorite sixth-grade teacher” or “who was your favorite childhood hero?”
Another great feature of good security questions is the high number of possible answers. Ensuring that each question has a great number of possible responses limits the ability of hackers to simply guess the right combination. Asking what your favorite eye color is, for example, only allows for a limited number of standard replies, while asking your favorite girl’s name taps into a much larger set of possible replies.
Another great way to prevent easy guessing is to create questions that do not elicit responses that are too personal. Again, questions about your dog’s name, your city of birth or your father’s middle name can potentially be easy to guess. Asking, instead, for the name of a college for which you applied but ended up not attending is a much more difficult info to guess.
Lastly, be creative in your questions! There are a number of questions that recur whenever a password reset procedure is needed. A hacker who finds the answers to some of them might be able to access multiple accounts for the same user in a very easy manner. Giving operators the chance to pick new, innovative types of questions is a great way to ensure more security and a better fighting chance against intruders.
Tips for effective security answers
Make answers to the security questions just as strong as your passwords. “Statistically, the longer a password — or answer to a security question — the more difficult it is for someone to guess,” as Jordan Holz, CIPP/US, advises in a post via International Association of Privacy Professionals (IAPP) website. However, there are a few things users can do to make life hard for malicious hackers trying to guess the answers to the security questions.
Here’s a tip: Consider using multiple words in your answer. A one-word response could be easier to guess, predictable and even susceptible to a brute-force attack. Answers containing more than one word add unpredictability and complexity while still keeping the answer easy to remember.
Another strategy is developing a set of false answers in reply to standard security questions. Providing fake answers to the usual questions used to reset passwords keeps hackers gathering information on social media or through phishing away from the correct keywords.
Responses are no longer personal and will be much harder to guess. If you choose a question that might reveal obvious information like your favorite breed of dog or your favorite music genre, widely available through social media searches (e.g., a Facebook profile page), then make sure to give a bogus response. To make things easier, you could think of a friend and use his or her preferences to set up your reset combination.
You could also use a combination of lies and truths in your answers, making them relatively difficult for an unauthorized person to obtain and less susceptible to guessing or research.
Another idea is to make answers to the security questions long or random. However, it is then necessary to develop some sort of pattern to remember them.
You can utilize longer words (as multi-word passphrases) or use abbreviations (acronyms or short forms) you normally use, as well as answers that contains special characters (e.g., F@cebook4Me!). Choosing answers of at least eight characters and containing at least one numeric or non-alphabetic character, as you would for a password, is a safe option.
You could also choose a long, completely random sequence of characters to be very secure. That’s obviously a difficult feature to include, but if you are able to memorize a string, you could possibly insert it in your answers and make them virtually impossible to guess.
On the contrary, you can opt to use short and simple answers as long as they are not used in a predictable way. (Q: What is your least favorite social media site? A: Qzone — a Chinese social networking site and blogging platform.)
Another way to add unpredictability to your answers is to write words in non-standard way. For example, you could develop a pattern in which the second and third letter are inverted and the sixth and seventh are always inverted. You can also use a foreign language in your replies. (Q: What are your favorite animals? A: Les chiens et les chats = dogs and cats.)
Conclusion
A strong password is a must to safeguard accounts, but even the strongest password is not safe if it can be easily reset through weak security questions and answers. No matter how secure your password is, in fact, it will always be vulnerable if a hacker can easily reset it.
Robust security questions and hard-to-guess answers are paramount to safeguard your login credentials from being compromised. Password reset systems, based on information that are supposedly known only to users, are often subject of debate on their safety and effectiveness. However, there is much a user can do to protect the efficiency of the system.
Placing the same amount of effort in choosing the right answers as in creating passwords is a great way to ensure this authentication method remains safe and effective. It is obviously important to never share answers with anyone and not choose answers that are so complicated that you have to write them down to remember them.
However, there are also many strategies that can be adopted in order to make questions more effective and answers more difficult to guess. For example, good security questions produce answers that are:
- Safe: Cannot be guessed or researched
- Stable: Do not change over time
- Memorable: Can be remembered easily
- Simple: Are precise, simple, consistent
- Many: Have many possible answers
Since security questions are not going away any time soon, it is best to strengthen your answers now while waiting for better systems to be implemented. The tips above can help you do just that.
Sources
- Secret questions blow a hole in security, Computer Weekly
- Security Questions Don’t Protect You: Here’s Why, IAPP
- Security Questions – Hard to Remember, Easy to Guess, Computing Dynamics
- Ask better password questions, CSO
- Examples of Security Questions, Good Security Questions
- Time to Kill Security Questions—or Answer Them With Lies, WIRED
- Use Fake Answers to Online Security Questions, Lifehacker
- How to Answer Security Questions Securely, Defending Digital
- How To Create A Security Question That No One Else Can Guess, MakeUseOf.com
In this Series
- Security question and answer tips
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security