Search

Security Questions Are Just Passwords

Jeremy W. Sherman

4 min read

Feb 19, 2017

Security Questions Are Just Passwords

“Where were you born?”

“What is your mother’s maiden name?”

“What is the answer to life, the universe, and everything?”

If your bank, email, or shopping account is “protected” by these questions, and you answered honestly, someone can probably get into your account in just a few minutes of half-hearted Facebookery.

Password generator: To the rescue!

The Insecurity of Security Questions

What’s wrong with security questions? In short: They’re like passwords, if you told all your friends your passwords, and maybe had the Justice of the Peace write them down in public records to be safe. (I mean, that is one way to avoid forgetting your password, I guess.)

In more detail:

  • They’re biographical.
  • People like to talk about themselves.

Passwords are intended to be something secret that only you know.

Security questions, though, have a bad tendency to be a few public or semi-public things that your close friends and family likely know off the top of their head and anyone else could probably dig up with a little work.

Depending on the specific details, the answer to security questions might be a matter of public record—birth certificates tell where you were born, who your mother was, and what her birth name was. Or a matter of Facebook record, because everyone who follows you knows your favorite animal is “puffer fish,” your favorite book is Old English and Its Closest Relatives, and your favorite color is “octarine.”

Managing Passwords

So, security questions are passwords. Luckily, we live in a time of effective and readily available password managers!

You have your choice of several options, from KeePass through LastPass to 1Password. Pick the one you’ll use and keep using, and hold it close.

Treating Secret Questions as Passwords

The key to making secret questions safe is to treat them just like passwords:

  • Generate the secret ~question~ password answer
  • Stash both question and answer in your password manager
  • Relish in your newfound security

Generate the Answer

Here’s how you’d do this in 1Password.

  1. Create a new Login item:

  2. Find an empty section:

  3. Name the section “Security Questions” and label the first field with the question:

  4. Use the dropdown at the end of the field to tell 1Password that the field contains a password. This causes the password generator button to appear:

  5. Use the password generator button to generate your password:

    I recommend using the “Words” generator to make your life easier. As a bonus, enjoy the unintentional hilarity of asserting things like “my favorite hobby is, ‘trombone gauntlet cordon.’”

  6. Repeat the process of labeling the field with the question, marking the field as a password and generating a password for all other “security” questions:

Gotcha: Speakable Answers

There’s one catch with secret questions, and that’s that you might find yourself needing to read them over the phone some day to a customer service rep.

You don’t want to find yourself trying to read out, never mind trying to ensure someone else can copy down, fifty characters of gibberish like “charlie uppercase-bravo hashmark space delta one niner tilde five…”

Instead, take advantage of the ability to generate random words. You still rack up password length, but you have an easy shorthand to communicate your answer to anyone, because you can rely on their ability to understand and spell English words.

Gotcha: Answer Length Restrictions

If you’ve ever used a password generator, you’ve almost certainly run into this for the main password. Sometimes, there’s also a length limit on the security question answer. You’ll just have to keep whacking down the number of words in the generated output and regenerating till you get something short enough.

There’s often terrible messaging around this, including the case where you get no feedback aside from getting dropped back at the form, with a mysterious error message if you’re extra unlucky.

Like this case, where all the “must…” requirements have a green checkmark, and the website still hates my password and/or security questions:

Take a deep breath, and keep trying. You’ve only got to set this stuff up once; as insecure as security questions try to be, at least no-one tries to make you rotate your answers to them!

Conclusion

  • “Secret questions” have answers that are anything but.
  • Pretend a secret question is just a funny way to spell “password”.
  • Use a password generator to generate answers to the questions and save which answer goes with each question.
  • Feel safer already!

Zack Simon

Reviewer Big Nerd Ranch

Zack is an Experience Director on the Big Nerd Ranch design team and has worked on products for companies ranging from startups to Fortune 100s. Zack is passionate about customer experience strategy, helping designers grow in their career, and sharpening consulting and delivery practices.

Speak with a Nerd

Schedule a call today! Our team of Nerds are ready to help

Let's Talk

We are ready to discuss your needs.

Not applicable? Click here to schedule a call.

Stay in Touch WITH Big Nerd Ranch News