Are security questions secure? Not really – here’s why

When was the last time someone asked you the middle name of your oldest sibling? Probably not something that comes up in casual conversation – which made it a good option to use as a security question for a bank or online account. But you may have noticed that you have not had to provide such seemingly random information recently.
Security questions are falling out of favor and being replaced with less vulnerable measures. Keep reading to learn why.

By Alyssa Schmitt
Woman writing in diary at café table with laptop and phone.
A truly secure question may mean you have to write down the answer to remember it

What is a security question?

What is your favorite color? What was the name of your favorite high school teacher? No, these aren’t questions in a speed-dating game, but security questions we’ve all had to answer to gain access to an online account. Security questions are usually used by banks, online services, etc. The purpose of asking such questions is to add another layer of security alongside your password. If you enter the answers in your settings at the time you set up the account, the security question and answer can be used for authentication – in other words, to prove your identity – when logging in, changing your password, or contacting customer support.

Why are security questions used?

A security question is easy to set up and convenient for the user. The idea is that the answer to a security question is easier to remember than a random password, because it is personal information that you would remember anyway, e.g., a fact about your family or your past. And because the answer to a question like “What street did you live on when you were in first grade?” is not assumed to be general knowledge, in theory you will be the only person who can answer the question correctly.

Why security questions can be vulnerable

Answers can be hacked

While security questions are secure in theory, they do not always stand the test of real-life use. They can be hacked just like a password, for example. And since businesses tend to offer the same selection of questions – the most well-known security question example is “What is your mother’s maiden name?” – people end up reusing the answer. So, if one system is hacked and your security question and answer fall into the wrong hands, it can be used to access other accounts.

Other people know your answers

There may actually be other people out there who do know the answers to your security questions. A family member or friend will know a lot of information about your family or childhood, and in some cases – like a disgruntled ex – may not be trustworthy when it comes to your sensitive information.

And let’s not forget that a lot of supposedly private information is available online nowadays, including things we post on our social media feeds. Once upon a time, the name of your first pet might have been a secret, but nowadays, at some point you probably posted a cute old photo captioned “I’ll always remember you, Muffin!”

Security answers can be easy to guess

Just like “Password123” is an easily guessed password, the answers to many security questions are also are easy to figure out in one or two tries. In some cases, this is because there are not a lot of possible answers to a question, e.g. “What is your favorite color?” (unless you get really specific and answer “chartreuse”). In other cases, the answer to a security question is simply very common. For example, a 2015 study by Google showed that a hacker had a 20% chance of correctly guessing English-speakers’ answer to the question “What is your favorite food?” on the first try. (Obviously, it’s pizza!)

People forget their saved answer

The same study revealed that almost 40% of people had forgotten the correct response to a security question at some time. This can especially happen if the question is something that can change over time, e.g., “What is your favorite flavor of ice cream?” Back in 2009 it might have been chocolate-chip cookie dough, but that was before you discovered the joys of salted caramel swirl!

Are fake responses to security questions the answer?

Because of the vulnerabilities discussed above, some cybersecurity experts have advised not only giving a fake answer, but even a different wrong answer to each security question. For example, even if your mother’s maiden name is “Smith”, you should save the answer “Jones” for your online banking, “Miller” for your email account, etc. That way no one could find the answer through online research, and even if your data for one account got stolen, the hacker couldn’t use it to access a different account.

The problem with fake answers to security questions is that it can be tricky to remember which untrue answer goes with which account. What you have basically just done is created a second password that you have to remember. If you still have accounts protected by security questions and you’d like to strengthen your security by providing fake answers, many password managers have a field you can use to keep track of this information along with your password.

Safer alternatives to user security questions

Experts are continuing to develop alternatives to passwords and security questions that, at least for now, are considered a more secure way to prove your identity. These include:
  • Biometric authentication: Fingerprint and facial recognition are becoming increasingly common, as least on our mobile devices, because these physical characteristics are harder to steal and are not something you can forget.
  • Multi-factor authentication: Also known as two-factor authentication or 2FA, this method usually requires you to enter a one-time code or click on a verification link. The code can be generated by an authentication app, or the business can send a code or link to an email address or cell phone number that you entered when setting up your account.
  • System-defined security questions: Instead of having you select and save an answer to a standard security question, a business may ask you “spontaneous” questions based on your personal account settings or activity. For example, a bank might ask “Who else is authorized to access this account?”, while an online store might ask “What was your last purchase with us?”
 

Good to know: mail.com is phasing out out security questions

Although nowadays we ask for a contact email address or cell phone number for account recovery purposes, some older mail.com accounts still have the option of using a security question. Because of the many ways that security questions are vulnerable, mail.com will now stop using them completely. We’re sending out emails to affected users – but why not take the opportunity today to make sure your account security options are up to date?
 

Make sure your mail.com account is safe!

At mail.com, we use your saved cell phone number and contact email address for password recovery and identity verification. So, it’s important to enter this information when you register and update it if you get a new phone number or secondary email address.

Not sure if your password reset information is up to date? You can view your saved information by logging into your mail.com account and going to Home > My Account > Security options.

While you are checking your contact information, why not make sure you also have saved a correct name, address, and date of birth? We may ask about this information if we ever have to verify your identity when you contact customer service. (You can rest assured that we will never use your saved information for any other purpose or share it with third parties.) And finally, make sure you have a strong, unique password protecting your account.

We hope we have cleared up the mystery of the vanishing security question. Why not leave us some feedback below? And if you still don’t have an account with mail.com, you can create a free email address today!


Images: 1&1/Shutterstock

90 people found this article helpful.

Related articles

How hackers steal passwords - and ways you can protect yours

The “Hi Mom!” phishing scam: How to recognize and avoid it

Spear phishing: Understanding email attacks