Your first pet’s name is not a secret to hackers

I have written articles about password management. I have told an uncountable number of people about password management. The advice that you should create unique and strong passwords for every single service you use is still relevant and sound. In fact, you don’t need to search the internet very hard to find instances of accounts being taken over because someone used their “old reliable” password on most of their accounts. This is a fundamental personal cybersecurity practice. I’ll say it louder for the people in the back. Use strong and unique passwords for every single online service you use.  Zero exceptions. 

But there’s one aspect of account security that isn’t discussed often or as widely: your security questions. We’re told that we should “limit sharing” on social media. Isn’t the point of social media to share? We’d better not reveal our favorite food or our first car or the city where we were married because, you know, security. And this is one of the fundamental weaknesses of security questions.  

Security questions rely on the fact that 1) you’re going to forget your password; and 2) there are fundamental things about yourself or your past that are immutable. But what they are really intended to do is cut down on calls to the support desk. You forgot your password? No problem!  

• Question:What’s the name of your first pet? 
• Answer:Fuzzy Britches 

Welcome back!! No need to call the support desk now. 

There are at least two points of ponderance I have about these so-called security questions: 

1. Where and how do online services store and protect the answers to your security questions? 
2. When (not if) a data breach happens to one of those services, are the answers to your security questions included in the breached data (along with your personal data and password)?

The answer to the first question is: I don’t know, and it probably varies widely across sites and services. The name of your first girl/boyfriend is probably stored in plain text.  

The answer to the second question is: It is probably part of the criminal data haul. As a result, the bad guys now know that your childhood nickname was “Poochy”. 

There’s really nothing you can do about how online services manage your security questions. But there is something you can do on your end. 

If you can, avoid answering security questions in the first place. That information is yours to share or not in accordance with your own tolerance for privacy about the name of your first-grade teacher or your favorite food. However, in most cases, sites and services that use security questions do not let you proceed without answering them. The best counsel I can give is to treat the answers to your security questions as you would any other authenticator. In other words, treat it just like a password. Both passwords and security question answers should only be known to you. Both passwords and security question answers should be long and strong and—you guessed it—unique for every single site or service. Here’s an example. I’m going to go ahead and let you know what my favorite flavor of ice cream is. Here it is: 7vri;1&Nu_&% 0Dvx%Y4ETV$ There’s just nothing more delicious than a big bowl of 7vri;1&Nu_&% 0Dvx%Y4ETV$ ice cream!! 

Don’t worry, that’s not the answer I really use, but you get the idea. You should be treating this authentication information just like a password. 

Now you may be thinking to yourself that you can’t possibly memorize that and then be able to reproduce it if you “forget your password”. That’s where password managers come in. Use a password manager to create a strong and unique password for each and every site. And, when the security questions appear, use the notes feature in that same password entry in your password manager to record the security questions that you used along with the strong and unique answers to the security questions. Here’s an example of what I do. 

• Username: UsernameExample 
• Password: I2OB1FP(U}`WN4WX!H)!K+lW=O9omns<
• Security Questions:
• Q1: What was the name of your fifth grade PE teacher? 
• A1:!.Z^La&Me3Mc5nx2s-o3$’Z7a 
• Q2: What was the first concert you attended? 
• A2:rbGm’rYrgFpV&ga-nYz$=L~i 

When you set yours up, be sure to use something different than what I used above and use a different answer every single time, even for the exact same question. Many password managers provide password creation tools, and there are websites that will generate random strings of characters that you can use for both your passwords and the answers to your security questions. 

If you use a password manager for all of your accounts, the chances are good that you’ll never need to invoke the use of the security questions at all, because you’ll be able to easily access the password. 

Of course, this is not a “silver bullet” solution, but it does prevent bad guys from easily getting into your account by simply knowing that your first car was a 1979 Ford Fairmont. Becoming a harder target is not difficult, but it does require a little bit of diligence.