Security tip: do not answer security questions correctly

Martin Brinkmann
Aug 23, 2012
Updated • Jan 31, 2015
Security
|
14

When you create an account on Internet sites, services or in local apps you are often asked to pick a security question and answer as a recovery option.  It is basically a fail safe mechanism that gives you another option to restore your account if you have forgotten or misplaced your account password.

Windows users who select to password protect their account during creation also need to add so called password hints to the account which are used to aid them in the recovery. If you have local access to the PC, entering an incorrect password once displays the password hints that may help you recover the account.

So, if you enter the wrong password and get a hint that says "my favorite color" or "my wife's middle name" you may be able to use the information to remember the password. But you should not do that. And the reason for that is simple. Trying out all popular colors as your account password, or finding out your wife's middle name will help attackers greatly when they try to break into your user account.

via XKCD

Even if you select a very personal question, like the name of your first dog, the location you met your husband or the ID of your driver's license, you give up valuable information that an attacker can use to eliminate passwords that do not need to be tested at all.

To make matters worse, security questions are often saved less securely than passwords on web servers or the operating system so that it is easier for attackers to get hold of them.

What you should do is select a password hint or answer to security questions that have nothing to do with the account password.

Whenever I have to fill out a security question, I pick a random one and use KeePass to generate a new password that I add as the answer. My favorite color would be 2xMq2xRG1DbmLVG6to, my driver's ID jo45GmKveDoz1XPWcv and my mother's maiden name eXT90ZMUp9afAx7kNU. I do save those information as a note in KeePass so that I have them available if the need arises. The reason why I'm selecting random characters as the password hint or answer to the security should be obvious: to not give away clues as to what my password may be so that attackers can't exploit the information to gain access to the account.

You could obviously use a different system, maybe always use the same password hint like New York, Password, or even Haha instead which should not give anyone a clue to recover the password using the hints. And you can naturally use other password managers like LastPass for instance to generate those random strings.

How do you handle security questions?

Summary
Article Name
Security tip: do not answer security questions correctly
Description
Find out why you should not fill out security questions with the right answer but use random answers instead.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Todd Schnitt said on August 24, 2012 at 7:37 pm
    Reply

    Been preaching this to friends and family for years now. Whenever you hear about “hackers” getting into someone’s email, it’s usually through this method. I’ll never understand how security questions caught on and became such an accepted practice, without educating people to at least fib on the answers. Your password is like a lock on the front door, and honest answers to security questions are like leaving a key under the welcome mat.

  2. Transcontinental said on August 24, 2012 at 11:08 am
    Reply

    Security question: Name of your pet
    Security answer: x#jgW-0syhF0h\we&Hp2Vn^KQdZBUb5v

    Indeed, seems odd to choose a nice 32 character password and a plain — true moreover – answer to a recovery question. One of those things in life as idiot as asking a user if his age entitles him/her to continue.

  3. Matias S. Aquino said on August 23, 2012 at 9:46 pm
    Reply

    I do the exact same thing and also use Keepass to do it.

  4. fokka said on August 23, 2012 at 9:43 pm
    Reply

    martin, if you are using a password manager, why would you even need to fill in these recovery options?

    1. Martin Brinkmann said on August 23, 2012 at 10:08 pm
      Reply

      I do not really need them, but I feel better when I have them around. Say, I change the password online but somehow that does not get saved properly in KeePass. I’d be stuck and that would not be that great.

  5. Jim said on August 23, 2012 at 8:23 pm
    Reply

    I often thought about giving “fake” responses on the security questions, but those little lies are hard to remember. The truth readily comes to mind. Your approach for basically using a backup password as a fake answer sounds like a pretty good one though. I’ll have to consider a way to incorporate those into my LastPass setup. Unfortunately I have a trail of security questions out there and I suspect like most people, I have no idea where they all are. About all I can do is use the method on “critical” sites/systems, and use attrition on the rest.

  6. DanTe said on August 23, 2012 at 8:22 pm
    Reply

    My first pet = Load of Manure
    My father’s name = Uncle Bob
    My best friend = Welfare

    Simple security answers that is easy to remember :)

  7. Miguel said on August 23, 2012 at 8:13 pm
    Reply

    I have been using exactly that same method :) I always recommend to friends or relatives using long random “passwords” as recovery or security answers.

    I agree using the real answers to these questions is a bad idea, as some people may guess (or even know the answer and use it against you). Lots of years ago I saw a few friends whose Hotmail accounts were taken by just answering their recovery questions.

    You can generate those random “answers” or other passwords here: https://www.grc.com/passwords.htm

  8. Morely Dotes said on August 23, 2012 at 7:29 pm
    Reply

    How do I handle security questions? Explosives.

  9. ilev said on August 23, 2012 at 6:59 pm
    Reply

    @ Martin,

    I suppose that you should have mentioned the the Windows password hints have been hacked as Microsoft saves those un-encrypted in the registry.

    Password hints easily extracted from Windows 7, 8

    Our recent feature on the growing vulnerability of passwords chronicled the myriad ways crackers extract clues used to guess other people’s login credentials. Add to that list a password reminder feature built in to recent versions of Microsoft’s Windows operating system.

    It turns out the password clues for Windows 7 and 8 are stored in the OS registry in a scrambled format that can be easily converted into human-readable form. That information would undoubtedly be useful to hackers who intercept a cryptographic hash of a targeted computer, but are unable to crack it. Jonathan Claudius, the SpiderLabs vulnerability researcher who documented the new Windows behavior, has written a script that automates the attack and added it to Metasploit, an open-source toolkit popular among whitehat and blackhat hackers alike….

    http://arstechnica.com/security/2012/08/windows-8-password-hints/

    1. Martin Brinkmann said on August 23, 2012 at 7:01 pm
      Reply

      I thought about adding that, but decided against it. Thanks for posting the information though.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.