Online security: The password-recovery questions you should be answering (2024)

Column
TECHNOLOGY Q&A

By J. Carlton Collins, CPA

{:else}

{timeSince}

{/if} {@if cond="{isCGMA}"}

{articleTitle}

{/if} {/.}

TOPICS

Technology

Information Security & Privacy

Q. What security questions should we ask of our employees to confirm the identity of those employees digitally changing their login passwords?

A. In 2008, a 20-year-old college student hacked the Yahoo! email account for then vice presidential candidate Sarah Palin because he was able to figure out the answers to her password security questions by using Google searches to find her ZIP code, birthdate, and where she met her husband. Today, with so much of our personal information available on social media, many common security questions are not as secure as they once were. Some of the more common security questions with answers that might sometimes be found on one's social media pages include the following:

What is your mother's maiden name?
What is the name of your first pet?
What was your first car?
What elementary school did you attend?
What is the name of the town where you were born?

I think we've reached a point in which organizations and individuals need their security questions to produce more formidable hurdles for would-be hackers. The challenge for organizations is to not make the security questions so difficult that users are unable to remember their answers later. To be useful, a better security question should:

Be fairly easy to remember, even years later.
Contain thousands of possible answers, so it's not easily guessed.
Not be a topic frequently found on social media.
Have an answer that never changes (e.g., your favorite color or dream car might change over time).

Given the above suggested criteria, you might try to come up with more challenging security questions that have answers not typically revealed on social media, such as the following:

When you were young, what did you want to be when you grew up?
Who was your childhood hero?
Where was your best family vacation as a kid?

Still, the problem with all security questions, no matter how difficult they are, is they are intended to be simpler to use than passwords because the question itself is supposed to trigger your memory. To combat the more simplistic nature of security questions administrators often ask, end users might consider protecting themselves further by providing random answers that cannot be researched or guessed. In effect, I am suggesting that your answers be more random so they act more like a password. For example, instead of providing your mother's actual maiden name, you might provide the made-up name Aphrodite1234!, which resembles a password more so than a name. While this approach may defeat the purpose of simpler security questions, it probably would result in greater security.

About the author

J. Carlton Collins ([email protected]) is a technology consultant, a conference presenter, and a JofA contributing editor.

Submit a question

Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to [email protected]. We regret being unable to individually answer all submitted questions.

Online security: The password-recovery questions you should be answering (2024)

FAQs

What is the answer to the security question? ›

Consistent: Ensure the answer to your security question is factual and cannot change over time. For instance, the name of the city where your parents met is likely to stay the same. 4. Specific: A broad answer can be ambiguous but also easy for cybercriminals to guess.

Read On ›

What is the recovery question and answer? ›

A recovery question is an optional feature of the archive key password security setting. The recovery question can be used to reset your archive key password in the event that the existing password is lost or forgotten.

Discover More Details ›

What is the password recovery question? ›

Password recovery questions are designed to provide an alternative method for users to regain access to their accounts when they forget their passwords. These questions are often used as a secondary security layer, alongside email verification or SMS authentication.

Why do I have to answer security questions? ›

Security questions are usually used by banks, online services, etc. The purpose of asking such questions is to add another layer of security alongside your password.

See Details ›

How to reset password without security questions? ›

Try going to the Microsoft login screen on any computer and try and login to your account.
Click I forgot my Password and you will get more options for changing your password. ...
They will send you a code that you will need to use to change the password.

Nov 22, 2020

Find Out More ›

Which is the best password recovery question? ›

What is your mother's maiden name?
What is the name of your first pet?
What was your first car?
What elementary school did you attend?
What is the name of the town where you were born?

Mar 1, 2018

Tell Me More ›

What if I forgot the answer to my security question? ›

If you forgot both your security question answers, there are two things you can do. If you have a computer that you have chosen to “Remember computer” on, you can log in on that computer and reset your security questions.

Show Me More ›

What do you write in a security answer? ›

To ensure you have a strong password, you should include uppercase and lowercase letters, numbers, and symbols. Your security answer should be something memorable for you, but not easy for someone to guess or find online.

Explore More ›

What is password recovery in cyber security? ›

Understanding Password Recovery in Cybersecurity

Password recovery represents a quintessential process in the cybersecurity sphere. It facilitates the retrieval of lost or forgotten passwords, reverses encryption or hash functions, and allows users to regain access to their system, data, and applications.

How can I recover my password without password? ›

How to recover passwords

Search your web browsers.
Search your email inboxes.
Search through cloud-based services.
Search for files on your computer's hard drive.
Collect passwords from your mobile device.
Search for passwords around your home.

Show Me More ›

What is the security question answer? ›

A security question is just another form of a password mechanism. Therefore, a security question should not be shared with anyone else, or include any information readily available on social media websites, while remaining simple, memorable, difficult to guess, and constant over time.

Read The Full Story ›

What is the short answer of security? ›

Security means safety, as well as the measures taken to be safe or protected. In order to provide adequate security for the parade, town officials often hire extra guards. A small child will sometimes latch on to a blanket or stuffed animal that gives him or her the feeling of security.

See Details ›

What is secret question and answer? ›

Secret questions usually ask for an obscure fact that hopefully only the account owner would know and supposedly would never forget. Many Web sites assume that the user providing the answer to the question is sufficient to identify the user.

Get More Info Here ›

What is the security short answer? ›

Security means safety, as well as the measures taken to be safe or protected.

What to do when you forgot the answer to your security question? ›

Try the most likely answers you would have given. If the first attempt does not succeed, try again. Keep trying the most logical answers to your security questions.