The Problem With Security Questions

A reader points out a big problem with security questions:

Too many “security questions” can be answered based on users’ other profiles (I don’t have any) or “people finder” or genealogy sites (mother’s maiden name). If I recall, this is how Sarah Palin’s email was hacked (something involving where she went to high school).

“Many of the question alternatives pose questions that have no answers (place of marriage, name of oldest sibling). For those reasons, I always lie. For a few sites, I kept a list, but in most cases, I don’t know the answers to the security questions so I am just guessing myself at what answer I might have chosen. My email provider refreshes the inbox only every 5 min or so, so it can be a long wait for a code to arrive. Text messages require me to give out my phone number, which I prefer not to do, unless I purchase another phone and dedicate it to authentication codes. I’m in favor of security, but everything posed so far is either biologically invasive or a complete pain in the a**.”

You bring up a valid point about security questions. Though in most cases, it’s not an individual who’ll take the time to peruse your other accounts attempting to hack you but an automated program. In some cases, the program will just give up when it encounters 2-factor authentication.

Using made up answers to security questions is a good strategy. It can be made easier by having a pattern to your lies. Pick a favorite literary character and use their information. Or choose just one fake street, fake school, fake pet, and always use it.

I use my phone number to receive 2-factor codes and I’ve never had an issue with any company using that number for anything except to send codes. If you have a smart phone, an authenticator app is another option that can be quite handy.

However, security questions and text codes are still far more convenient than the steps you’ll have to take if your account is hacked.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.