Password Recovery Questions Make Online Accounts Vulnerable

Martin Brinkmann
Jul 1, 2009
Updated • Aug 23, 2012
Internet, Security

Password recovery questions are great to recover a forgotten password in a matter of seconds. All that needs to be done is to answer the password recovery question to receive a new password in the inbox of the email associated with the account. This does however make email hacking a profitable business as email accounts are usually connected to online stores and other web services. Attackers with access to a compromised email account only need to answer the secret question to retrieve the password of the web account, which often is a lot easier than having to figure out the password itself. Sometimes, you do not even need to answer the security question to get the password reset request sent to the associated email account.

A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother's maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

Acquaintances of 32 webmail users – people with whom they would not normally share their login details – were asked to try and guess the answers users assigned to protect their accounts. The volunteers managed to guess correctly nearly a fifth of the time, raising questions over how secure the commonly used system is.

Password recovery questions should therefor not be answered honestly. Experienced users fill them out with password like characters which makes the answers more or less impossible to guess. These answers can then be stored in password managers as notes so that you retain the functionality should you ever come into the situation where you need to reset an account password.

How do you handle password recovery questions?

Update: Check out Security tip: do not answer security questions correctly for updated information and tips.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Roman ShaRP said on July 4, 2009 at 9:26 pm

    I always choose custom questions and put in them things that nobody else can know.

  2. Tobey said on July 4, 2009 at 11:10 am

    True indeed. This leads me to an idea to use the same string for the answer as for password itself and of course, for the worst case, have the password backed up in KeePass/alternative. Will start implementing that as of now since forced question-answer measures are a serious vulnerability, all the more if you’re not offered a more “safe” question. IMHO asking for mother’s maiden name is one of the stupidest options, literally anyone can find out, possibly even using the Net/social networks.

    Thanks for the tips

  3. Dave said on July 2, 2009 at 2:28 pm

    If you have a password manager that you are storing answers to recovery questions in, wouldn’t you already have the forgotten password in the manager as well?

    Regardless, one of my greatest pet peeves about password recovery questions is the use of subjective questions. “What’s your favorite movie” will probably be different 3 years from now when I forget my password and need to recover it. They should be more concrete like “What city was your father born in?” That will never change.

    So anyway, I *love* the idea of putting an answer completely unrelated to the question. That’s brilliant. Thanks for the suggestion.

  4. Greg said on July 2, 2009 at 12:13 pm

    Yeah, to be honest a lot of the questions are things like

    “what’s your mother’s maiden name?”
    “what’s your first pet’s name?”
    “in what town was your high school?”

    This is all stuff that people close to me would know, particularly family members and as you can pick your friends, not your family…. I would trust my family the least out of anyone!

  5. Transcontinental said on July 2, 2009 at 11:00 am

    The last password recovery question I encountered was the name of my pet : I admit I never had a pet named: $WSo,)EEI4KMy_#YUS\wUba-Bd9+a62(
    Poor cat!

  6. xdmv said on July 2, 2009 at 6:16 am

    A useful tip is think that you are ANOTHER person. Then the answer would be honest, but not for YOU… ;-)

  7. DanTe said on July 2, 2009 at 4:31 am

    The answer to all my password recovery question is: sakljg;aghjk’sl;ksfhgait

    I keep all my passwords in one master encrypted spreadsheet stored on a detached Ironkey USB drive.

  8. John said on July 2, 2009 at 3:00 am

    About time someone saw sense on this matter. Banks are even worse than websites. These days I lose my temper when they ask for my mother’s maiden name as a security marker – half the financial institutions on this planet (and their staff) must have that info by now – as a security device it gets 1/10.

    But – as a more sensible bank employee assured me – the answer doesn’t of course need to be literally correct. You can say your mother’s name was Chewbacca just as long as you remember that.

    But that still doesn’t, of course, address the issue that a large proportion of the security problem originates from WITHIN banks and financial institutions where – I am MOST reliably informed – the standards of internal security are often laughable.

  9. cmpm said on July 1, 2009 at 11:39 pm

    I have an answer that has nothing to do with the security question.
    It’s not likely any one could figure out the answer to any question,
    when the answer is totally unrelated to the question or any question.
    But I also try not to confuse myself as well, :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.