Secure your Security Questions

Security questions
A common authentication mechanism used to verify the identity of a user attempting to access an account or service. In a lot of cases, it is a way for a user to recover an account because of a lost password or no longer able to access the email address.

I loathe this practice especially when forced to create them. To me knowing my mother’s maiden name or what city I was born in enables a person to bypass a uniquely generated Secure Password is like putting a deadbolt lock on a screen door.

I try to avoid creating them if possible as it only weakens the front door. In the cases where I am forced to create them, I typically generate 3-4 random words and document them in a password manager 1.

One potential gotcha I avoid random characters for this because on occasion someone may ask you for it over the phone when you call in. Not a show stopper but spelling a 20-character random password (numbers letters and symbols) over the phone is a painful process. (Ask me how I know) 😖

Sometimes you can enable 2FA / MFA in lieu of security questions that will likely be a win in the big picture. Either way, it should be enabled as there is no downside.

Also posted on Linked-In

  1. There are a few password managers out there I use Bitwarden which is open source and has a free Tier. I also have used 1Password at a former employer which was a solid product. ↩︎