Password Recovery Questions Make Online Accounts Vulnerable

Martin Brinkmann
Jul 1, 2009
Updated • Aug 23, 2012
Internet, Security

Password recovery questions are great to recover a forgotten password in a matter of seconds. All that needs to be done is to answer the password recovery question to receive a new password in the inbox of the email associated with the account. This does however make email hacking a profitable business as email accounts are usually connected to online stores and other web services. Attackers with access to a compromised email account only need to answer the secret question to retrieve the password of the web account, which often is a lot easier than having to figure out the password itself. Sometimes, you do not even need to answer the security question to get the password reset request sent to the associated email account.

A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother's maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

Acquaintances of 32 webmail users – people with whom they would not normally share their login details – were asked to try and guess the answers users assigned to protect their accounts. The volunteers managed to guess correctly nearly a fifth of the time, raising questions over how secure the commonly used system is.

Password recovery questions should therefor not be answered honestly. Experienced users fill them out with password like characters which makes the answers more or less impossible to guess. These answers can then be stored in password managers as notes so that you retain the functionality should you ever come into the situation where you need to reset an account password.

How do you handle password recovery questions?

Update: Check out Security tip: do not answer security questions correctly for updated information and tips.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. smaragdus said on October 7, 2012 at 8:55 pm

    I have just tested the Wikipedia Book Creator and in works fine. I am pleased that the output format can be EPUB which is far superior than PDF. For me EPUB is the best e-book format, I prefer it to FB2 DJVU and especially over PDF, not to mention Microsoft LIT, Amazon and Mobipocket trash.

  2. benny said on November 2, 2012 at 9:21 am

    they actually had epub export for awhile but then stopped. good to see it’s back.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.