Which security questions are good and bad?

What makes a good security question?

Many platforms ask you to choose a security question, which you will need to answer when logging in or resetting your password. Websites often offer system-defined questions that you can choose from or come up with your own questions. But how do you choose a question that is difficult to crack but easy for you to answer? Good security questions for recovering a user’s current password should meet the following characteristics:

• Memorable. The answer to the question should immediately pop into your head, even if you’re logging in two years after you first created the account. Don’t make it the song you listened to on repeat 10 years ago, and make sure it’s a fixed answer. For example, you will never forget what your first car or first pet was.
• Unique. Try to come up with unique questions with simple answers, like “what’s your favorite pet” to verify your identity. Security questions shouldn’t have multiple potential answers. Pick something precise, simple, and straightforward. And don’t try to be cheeky and go with a fake answer, lest you outsmart yourself and forget it two months down the line.
• Consistent. The security question should be factual and not change over time. For example, your preferred musical genre, favorite song, or work address might change, but the city you were born in won’t.
• Unpredictable. Don’t make the answer something others can easily guess or research. No one except you (and maybe the person involved in that specific life event) should know the correct answers to security questions. And don’t make the mistake of sharing such personal information on social media or taking Facebook quizzes that try to trick you into revealing this information!

Check out our video on security questions below.

Security questions you should avoid

Why are some security questions bad? It comes down to two reasons: they are too complicated or too simple. People either forget their answers or their accounts get hacked because the answers were way too easy to guess. One way to avoid this is to never share such information anywhere and avoid answering security questions when signing up for websites with sketchy reputations. But all in all, it’s best to avoid using weak security questions in the first place.

Bad security questions

• 

  In what city or town was your first job? This information can be easily found on LinkedIn or easily guessed if you’ve never moved to another city or country.
• 

  What elementary school/high school did you attend? Bad actors can easily find this information on LinkedIn or social media like Facebook.
• 

  What is your mother’s maiden name? It may take a little bit of digging, but a hacker could find this information from social media or national registries.
• 

  What is your favorite movie? This question may have many possible answers. Something you really liked yesterday might not be the movie you’ll love today since new movies are released all the time and your taste changes.
• 

  What was your favorite sport in high school? This is a weak question with many potential answers. Others can also guess the answer, especially if your Facebook profile is full of pictures of you playing rugby, cheerleading, or any other sport. And if it’s not, then there’s a chance that the answer can be guessed if you post many articles about football, for example.

A list of good security questions you could use

• 

  What was the name of the boy or the girl you first kissed? This is a good question as it’s personal — you’re likely the only one to know the correct answer.
• 

  Where were you when you had your first kiss? Like the last one, this is also a personal and stable question that few people can answer.
• 

  In what city did you meet your spouse/significant other? A good personal question with a consistent answer. However, it may be easy to guess, especially if you’ve never moved countries, haven’t traveled much, or married your high school sweetheart.
• 

  What is the middle name of your youngest child? A great question if you have kids since this information most likely won’t be available anywhere outside your child’s passport.
• 

  What was the name of your first stuffed animal? A question that requires a consistent and specific answer. Not all kids have a favorite stuffed animal, but if you did, there’s probably no one else in the world who knows its name.
• 

  In what city or town did your mother and father meet? It’s personal and specific. Only you and your family members will know the answer. This information most likely cannot be found on social media either.
• 

  What was the first exam you failed? It’s personal, specific, stable, and easy to memorize. And if you’re not prone to overshare online, this information won’t be found on your social media accounts.

What’s more, some websites let you choose multiple questions to minimize the chances of a third party intruder getting access to your account information.

Is there anything else I can do?

Yes! First, limit the information you share on social media profiles and your posts. You don’t need to list your hometown on Facebook to create a profile. Have a look at these tips and reevaluate how you can make your social media profiles more private. This will make the hackers’ job way more complicated.

And if you are confident that you’ve chosen good security questions but still think you may forget the answers, use a password manager. Many secure password managers, including NordPass, let you add notes to your passwords.