You have set a strong password and enabled two-factor authentication. Your account is locked down -- until someone calls customer support, answers your security question with information scraped from your Facebook profile, and resets everything. Security questions are one of the oldest and most widely deployed authentication mechanisms on the web, and they are also one of the most fundamentally broken.
The Problem with Security Questions
Security questions fail for a simple reason: they ask for information that is not actually secret. Consider the most common security questions used across the web:
- What is your mother's maiden name?
- What was the name of your first pet?
- What city were you born in?
- What high school did you attend?
- What is your favorite movie?
Every one of these answers is either publicly available, easily guessable, or discoverable through casual social media browsing. Your mother's maiden name may appear in genealogy records, public marriage records, or your relatives' social media profiles. Your high school is listed on LinkedIn and Facebook. Your birth city is on countless forms you have filled out. The name of your first pet? You probably posted a throwback photo of it with a caption.
Unlike passwords, which can be changed and rotated, the answers to security questions are typically static facts about your life that never change. Your mother's maiden name is the same today as it will be in 20 years. Once an attacker knows the answer, it works forever, across every site that uses the same question.
Real-World Attacks Using Security Questions
Security question exploits are not theoretical -- they have been used in some of the most high-profile account breaches in history.
In 2008, a college student gained access to then-vice presidential candidate Sarah Palin's personal Yahoo email account. The attack required no technical hacking whatsoever. The attacker simply used Yahoo's password recovery process, which asked for Palin's date of birth, ZIP code, and the answer to the question "Where did you meet your spouse?" All of this information was publicly available from news coverage and biographical information. The entire attack took minutes.
The celebrity iCloud breaches of 2014 similarly exploited security questions. Attackers used a combination of phishing and security question guessing to access Apple iCloud accounts, extracting private photos that were then posted publicly. The answers to many of the victims' security questions were gleaned from interviews, social media posts, and public records.
These are not isolated incidents. Security researchers have repeatedly demonstrated that with access to social media profiles and basic public records, they can answer the security questions for the majority of targets. A Google research study found that the most common answer to "What is your favorite food?" was "pizza" -- meaning an attacker guessing that single word would succeed nearly 20% of the time.
Why They Still Exist
If security questions are so flawed, why do so many services still use them? The reasons are mostly practical rather than technical:
- Legacy systems: Many services built their account recovery systems years ago when security questions were considered acceptable. Replacing them requires significant engineering effort and may affect millions of existing accounts.
- Account recovery fallback: Services need a way to help users who have lost access to their email and phone. Security questions serve as a last-resort recovery mechanism, even though they are weak.
- Perceived simplicity: For non-technical users, answering a familiar question feels easier and more intuitive than managing recovery codes or hardware keys. Service providers worry that more secure alternatives will increase support costs.
None of these reasons justify the security risk. They simply explain why the transition away from security questions has been slow.
How to Handle Security Questions Safely
When you encounter security questions and cannot avoid them, the best strategy is to treat them as secondary passwords rather than honest answers to personal questions.
- Generate random answers: When a site asks "What is your mother's maiden name?", do not enter your actual mother's maiden name. Instead, generate a random string or passphrase using your password manager and enter that. "Mother's maiden name: 7kP$mNx2Qw" is far more secure than the real answer.
- Store the fake answers in your password manager: Add a note to the account entry in your password manager that records both the question and the fake answer you provided. Without this record, you will not be able to recover the answer later.
- Use different fake answers for each site: Just as you should never reuse passwords, never reuse security question answers. If one site is breached, the fake answer should not work anywhere else.
- Never use real answers: This bears repeating. Even if the real answer feels obscure to you, it may be discoverable by someone who is specifically targeting you.
Better Alternatives
Fortunately, the industry is moving toward stronger recovery mechanisms that do not depend on guessable personal information:
- Recovery codes: One-time use codes generated when you set up two-factor authentication. Store them securely in your password manager or printed in a safe location.
- Authenticator apps: Apps like Google Authenticator, Authy, or Aegis generate time-based codes that serve as a second factor, replacing the need for security questions as a recovery method.
- Hardware security keys: Physical devices like YubiKeys provide the strongest authentication available. They are immune to phishing, cannot be guessed, and do not depend on personal information.
- Trusted contacts: Some platforms like Apple and Facebook allow you to designate trusted friends or family members who can help verify your identity and assist with account recovery.
When a service gives you the option to use any of these instead of security questions, always choose the stronger alternative. And when you are forced to set up security questions, remember: lie creatively, store the lies in your password manager, and never reuse them.