Tips and tricks to limit the risk of reused security questions

Everyone with an online account, without exception, needs to find answers to security questions in order to access any services or applications. The purpose of these questions is to periodically confirm identity or to allow access in the event of a forgotten password.

The downside to these security questions (and their answers) is that they become a handicap if the answers are leaked (e.g. due to a data breach) or are common knowledge. Why ? Because many websites use the same security questions or have only minor variations. This standardization of security problems carries a significant and unnecessary risk. The risk of reusing security questions is similar to the risk of reusing passwords. When an account is compromised, the password is in nature, tied to the identifiers, and can be used to attack other accounts with the same identifiers. If passwords are reused across dozens of accounts, disclosing just one account could potentially put all others at risk.

While we generally have control over the passwords we choose, as individuals we have no authority to change the questions that websites and services ask. However, we can creatively answer these questions to keep our accounts secure and eliminate the threat. Here are some basic tips:

1 / Avoid selecting the same security questions in multiple locations if possible. If the site allows you, choose your own questions. This will limit the fallout and put other accounts at risk if the security question / answer is leaked. This advice is especially important for personalities whose lives are in the public domain or whose biographies are posted on websites.

2 / Don’t answer security questions in plain text (or in your native language). This is expected of you and is a mistake. Treat your answers like passwords and add complexity to your answer. For example, let’s say I was born in Little Rock, Arkansas. The security question “What city were you born in” would require the answer “Little Rock”. Therefore, if the complexity is increased, the new answer could be “L! Ttl3 r0ck”. The latter is more difficult to guess or decipher with automated tools. It brings an extra layer of darkness;

3 / In many cases, the best solution is to enter fictional information about these questions so that it remains clear. You can use a personal password manager to fill in the answer fields with password-like answers. Then save each question and answer in your password manager. For example, for an e-commerce website, you could create an account with “ecommercesite.com/question_birthcity” and then enter a random, recommended password as a security answer. This allows you to securely store the information you need in the event of a password problem while keeping your answers to the same security question completely random and unique across all websites and applications.

The security questions are designed with the aim of strengthening identity validation for access to applications and websites, especially in the event of password problems or other errors. Similar to password reuse, by reusing pairs of security questions across websites, malicious actors could compromise many accounts associated with an identity. Usually it is enough for a hacker to compromise a secondary application such as sending e-mails or texts in order to couple a password reset. Unfortunately, some websites and apps don’t even go that far, and the answer to a security question is enough to compromise an account.