Security questions are the key to cybersecurityWhen it comes to cybersecurity, good password practices are seen as the bedrock that can help consumers stay safe. But while strong passwords are an extremely important part of the puzzle, there’s often another aspect of cybersecurity that goes unmentioned – security questions. These are common questions like “What city were you born in?” that are used to authenticate your identity in the instance you forget your password, you’re accessing your account for the first time or you need to speak with a representative over chat or on the phone. As security experts have noted, though, these security questions have major weaknesses. Below we take an in-depth look at how security questions work and the best ways of using them.

What exactly are security questions and when are they relevant?

As briefly mentioned above, security questions are tied to online accounts and services. They are typically only used when you forget your password and designed to be an alternate method of logging in, although some services might use them to identify you when you log in from a new device or wish to speak with customer representatives about your account. Most services and accounts require you to answer multiple security questions before allowing you to change your password or access account information, which provides some level of security; however, the fact that these are all static questions with static answers creates a glaring, gaping security hole. In fact, someone who wants to enter your account and change settings can circumvent your password and simply take a crack at answering these questions online or over the phone.

What is the issue with security questions?

With the rise of the Internet, and most importantly social media, a great deal of security questions can be answered with a quick Google search. Even if you’re not on LinkedIn or Facebook, public record databases and people search services provide the answers to basic questions about essentially everyone. Some of the most high-profile account hacks of the last few years – including Sarah Palin, David Pogue, Scarlett Johansson and Mila Kunis – came from basic Wikipedia and Google searches. Worse yet, even assuming you avoid questions about basic declarative knowledge (e.g., where you were born and your mother’s maiden name), hackers can guess the answers to less specific questions. For example, as a Google research paper demonstrated, the standard answer to “What is your favorite food?” is “Pizza,” meaning that statistically a hacker has a high chance of breaking into an English speaker’s account by simply guessing pizza. Similar statistical likelihoods can be applied to other subjective questions.

Why do we still use security questions?

Authentication questions are a tradition going back to the 19th century, as reported. Personally identifiable information (or PII) was relatively hard to access, even in the 20th century, given that people didn’t share as much information and rarely talked to people outside of their own social circles. The sudden expansion of the Internet and the drastic increase of the number of people in our lives create new threats to PII in the modern era. Unfortunately, companies have been slow to adapt to the times but, to be fair, they can’t shoulder all the blame. For example, people willingly share PII for known security questions on their social media profiles. As such, some fraction of the failure of authentication questions is the result of people being loose with the details of their personal lives on the Internet.

How to be smart about security questions

Although security questions are a mediocre form of protection at best, there are ways you can be smart about using them:

1. Lie on security questions. If the history and vulnerabilities of security questions teach us anything, it’s that lying on these questions is a good form of security. It’s important to note, though, that if you lie or create complicated answers, there’s a chance that you will forget the response, something also proven by the Google research paper we linked above. If possible, either write down your lies somewhere safe (like a locked filing cabinet) or make them memorable white lies – responses that are true, but vague enough that they can’t be found on Facebook or people search databases.

2. Make sure your lies are hard to guess. Essentially, if you use a sensible lie for a security question, it’s better to make sure it doesn’t fall under the same category as a truthful answer would. For example, instead of listing a city or location as an answer to “Where were you born?” you can respond with a personal favorite dish (just don’t say pizza!). Or you can answer the question “Who is your best friend?” with the name of a location, like Venezuela or the name of an obscure restaurant. Alternatively, you can opt to turn your responses into passwords — some experts recommend forgoing answering security questions like questions and just typing in random character strings, like you would when making a password. But again, as Google noted, keeping track of this much information can be difficult.

3. Choose more obscure questions to answer. You should definitely avoid questions that use basic declarative knowledge as responses (where you were born, father’s middle name, mother’s maiden name, etc.) unless you intend to outright lie or use a unique response, like the password technique we mentioned above. Some services and sites offer questions that are less common like “Who was your best friend in the third grade?” Usually, questions of this nature might be hard to answer truthfully, even with help from Facebook, because of how specific and far back in your past they might be, which makes them a perfect question for you to answer.

4. Protect your PII. A lot of sites and services offer you a similar pool of questions, so it’s very important that you don’t reuse questions or responses, similar to how you should avoid reusing passwords. Reusing questions and responses makes it easier to guess what PII might be useful to breaking into all your accounts. Similarly, don’t discuss information that could serve as potential PII on social media for the reasons we detailed above. If the privacy of your PII is something that’s important to you, you may want to consider enlisting the help of an identity theft protection service. The top-rated services monitor the use of your personal information on public records, people search databases and the dark web and alert you in the event that your information is spotted. While an identity theft protection service may not be able to show you every piece of your information that’s living on the Internet, it can help you get a general idea of what PII exists online, so you can avoid using it for security questions. What’s more, a number of these services offer free trials, which means you can test them out without making a financial commitment. Read our identity theft protection reviews to learn more about these services and what they have to offer.

5. Use other forms of authentication if possible. Some companies are progressing beyond security questions and providing other methods of authentication, like two-factor authentication (2FA) or even password-free logins. If you’re not sure whether or not a website or service you use offer such options, go into the account settings section of the site or call customer support to find out.

To learn more about using technology safely and protecting your identity while using the Internet, keep reading our technology blog.