Should I answer “security questions” honestly?

So you have an online account somewhere, and you have to answer “security questions” that will be used to recover your account in case you forget your password. What’s your birthday? Mother’s maiden name? Color of your first car? Etc.

The problem is that they’re asking you for publicly available information!

These “security questions” can actually decrease your security, so even though you’re an honest person, let’s explore whether you should be answering these questions honestly.

Let’s consider the questions being asked. What’s your birthday? It’s on social media, on your identification card, and on a bunch of sign-up forms or applications you’ve submitted to many, many places. What’s your mother’s maiden name? You provided that also to a bunch of places as the answer to a security question, but by now some of those places have been hacked so you can’t really be sure that it’s such a secret anymore. What was your first pet’s name? What’s the name of the street where you grew up? These security questions have also appeared on silly quizzes which you may have answered online to find our your, um, special nickname.

What can go wrong? If you always answer honestly, and if the same questions are asked on multiple websites, and if any one of them is hacked, it means the attackers will have information they can use to access your account somewhere else without even having to guess your password. These “security questions” become like a backdoor access to your account. I’m sure that most sites are well-meaning when they try to give you a way to recover access in case your lose your password. Unfortunately, the effect can be a decrease in the security of that account if the required information can be obtained somewhere else.

Whenever you look at a security question from now on, consider where that information might be found publicly. Remember that “public” is really anywhere besides 1) your own mind or private belongings, and 2) the place where you’re making an account. If someone knows all the answers, they can get into your account without your password.

When thinking about whether you should answer security questions honestly, you need to remember that the only purpose of these questions is to help you recover access to your own account while preventing others from doing that. Whatever business is asking these questions certainly should not be using the answers for anything else. So given that answering honestly creates a substantial risk of harm to yourself, while answering dishonestly will not harm anyone at all, and that answering dishonestly is actually more aligned with the sole purpose of these questions than answering honestly, you can feel good about answering them securely instead of honestly.

Treat the “security questions” like just another password. If you use a password manager, generate a password for each one and label it with the website name and a comment like “Answer to <question>”.

Do NOT use your actual password to the website in the security questions. Make up a different one. This is because some websites don’t encrypt (hash) the answers to your security questions the same way the would for your actual password. If someone hacks that website and steals the database, and your primary password is stored unencrypted as the answer to a security question, the attacker will be able to access your account with it and you won’t even notice because there won’t be an access recovery event — your password won’t be reset, you won’t get any acknowledgement emails, etc.

So what is your mother’s maiden name? Maybe it’s “u5PGNY7r”.

Learn more about how we designed our access recovery process in LoginShield.