Security questions are a great feature to ensure you have access to your account, even if you forget your password. But when you’re setting up your security questions, you might want to step back and ask yourself, “should I answer truthfully?”
The quick answer is “no.”
Let’s take a look at why.
Most of us have social media in one form or another. Whether it’s Facebook, LinkedIn, Twitter, Instagram, or some random flavor of the week app, we often spend at least a bit of time connecting with people online and sharing our lives. And while we know not to share our bank account, social security number, or credit card numbers online, you may be sharing the keys to unlock your personal account.
How many of you have posted something like:
“I can’t believe Fluffy died 15 years ago today. RIP to my first dog.”
“Throwback Thursday to my childhood home on Grant Street!”
“This day, 25 years ago, my mom Lilly Johnston married my dad, Peter Smith. Congrats, you two!”
Anyone data-mining your social media accounts now have the answer to three of the top security questions:
“What’s the name of your first pet?”
“What street did you grow up on?”
“What’s your mother’s maiden name?”
But sure, you might say, “Okay, I won’t share my mother’s maiden name…” but other common security questions?
“What’s your favorite book?”
“Where did you go to high school?”
“What was your first car?”
Now you have to be wary of connecting with old school mates, recommending reading materials, and definitely stop sharing those throwback pics of your rusty Dodge Dart.
Do you see where we’re going with this? It’s easy… so easy to just slip up. And that’s what data-miners are looking for: any slip up they can use.
This doesn’t even take into account paid-for listings, which can easily contain old addresses, parents’ full names, and other useful tidbits.
Which brings us back to the topic of answering security questions. You can either answer truthfully and hope the answers aren't online, or you can give the wrong answers and not worry. Wrong answers add an extra security level that will make it more difficult for hackers to crack, especially with standard questions (more on that in a bit).
Of course, one of the conveniences of security questions is that you can easily remember them (which is also why it’s easy for someone else to find the answers to those questions).
The best place to keep these answers is a password manager. Sometimes you will need these answers handy when your password expires. But if you don’t have a password manager (you should get one, and here’s why ____blog____), there are some tricks you can use. One is to answer truthfully but butcher the spelling. This doesn’t work well for short answers, but if the first concert you saw was the Grateful Dead, you could change it to “Gratfulll Ded” or something that you can remember, but no one would guess.
Another option is to come up with answers so ridiculous that you won’t forget:
“What’s your favorite color?” “Mars.”
“What’s your favorite movie?” “French fries.”
“What’s the name of your first pet?” “Alexander Hamilton.” (Unless you’re a huge Lin-Manuel Miranda fan and that’s the correct answer…)
You can also level up your answers by sidestepping single word answers and creating full phrases and sentences. Much harder to guess “That movie about the big shark that eats everyone” than “Jaws.”
Note, you should always try to switch up your questions from site to site. Sure, it might be hard to crack your fake answers, but if you use the same three question/answer combos, all your logins are in trouble if one of those sites is compromised.
And if you absolutely won’t be able to remember, write them down. Obviously, you won’t want to leave your answers on a computer or in a public place. It would be best if you notated a hardcopy that you can hide in a private, personal place (not the bottom of your office telephone or, really, anywhere unlocked your office). And if you do write the answers down, get sneaky with these… don't put the questions, only the answers. And misspell them. Make it look like a shopping list. Anything that can mask what it truly is.
And, if given the option, always write your own questions. Many sites will only offer standard questions (like all the ones we’ve already notated), but more and more sites allow you to write your security questions. If given the option, take it. And don’t use a standard question or a question that’s easy to answer. (“What’s 2 + 2?”) While we still recommend using a fake answer, if you don’t, make the question one that no one would ever be able to answer.
Our view may seem like we’re offering an extreme solution, or that we’re really paranoid, but with your most sensitive information (or your company’s sensitive information), isn’t a healthy amount of paranoia a good thing when faced with the alternatives?