If you are having difficulty signing into a website due a problem with your user name or password, it's likely that the site will prompt you to answer a series of security questions before you can regain access to the site to reset your password. You would have provided the responses to these questions when you first created your website account.
But are your security question responses secure?
Just like passwords, security questions can be overcome by hackers, who, if they can learn a little bit about you, can overcome your personal questions with some educated guesswork. Learning your phone number, home address, email address, or Facebook® or LinkedIn® profile can give them enough information to try to crack your security questions for your accounts, including those for credit cards and other financial services.
Here are some recommendations for strengthening responses to security questions to help prevent unauthorized access to your accounts:
- Choose security questions where you—and only you—know the answer. Some security questions ask for answers to information available in public records and/or online, either in local and state government records or on social media. Your home address/zip code, mother's maiden name, birth date, birth place, and personal contact details are generally easy to track down. According the U.S. Federal Trade Commission (FTC), that is information a smart hacker can get by phishing.
- Don't create answers to security questions that can be guessed. It's simple for a hacker to guess the answer to a security question that has a limited number of basic responses (dates, colors, states, cities). If you can, avoid questions such as “What city were you born in?” or “What color was your first car?” since a hacker would be able to guess many of the possible answers.
- Don't give a simple, one-word generic answer to a security question; make your responses longer. Think about an answer to a security question that you will consistently remember, but is also a little more complex than a generic word. For example, if a security question asked “What was the first musical concert you ever attended?” the answer could be “The pop singer Taylor Swift” or “The rapper Kendrick Lamar” instead of “pop” or “rap,” as the specific name of a musical artist is more secure than just the genre of music.
Another example of using a slightly more complicated response is if you're asked the security question “What was your high school mascot?” Responding with the phrase “The Kokomo High School Fighting Cougars in Marietta, Georgia” is more secure than just the word “cougars.”
- If sites allow it, change your security questions more frequently. Changing our security questions is probably not a regular activity for a lot of us—but it should be. If you’re not on a website frequently, and if it's not connected to any financial accounts or other sensitive information, you can probably be a little less concerned about the frequency of updating your security questions. But for sites tied to credit card, other financial information, legal, or healthcare information, consider changing your security questions responses several times a year if the website allows it.
Generally, anything you can do to make your security question responses unique, complex, longer, changed regularly—and still be memorable so you don’t forget them—should enhance the safety of your website visits and can help protect you from hackers and scammers.
For more about online safety, we have some other sources worth looking at
The FTC has a lot of recommendations for how to keep your personal information secure; their site has good, useful resources to click through. We also have a few more blog and security posts on internet and phone personal security for you: