More and more secure Web sites have them—a list of personal questions you are required to answer in order to provide another layer of security on your account. It may seem like an unnecessary extra step in an already inconvenient process, but it really does help to make your information more secure. In this article, I’ll discuss how it helps, some common problems, and some best-practices you should employ to manage secret questions.
How do secret questions make you more secure?
On the surface, a secret question and answer seems like just another password. In many respects, it is, but, unlike a password, it is information that you already know and which doesn’t change.
Consider this: The most frequent Web site security breaches do not come from hackers breaking in to the site directly. They come from someone gaining an e-mail address and password combination from another, less-secure site and then using it to log in to a more secure site. For an explanation of this, see our previous article, “An EASY Way to Use a Different Password for Every Site“. The sad truth is that most people use the same one or two passwords for everything.
Secret questions work by requiring another layer of authentication. Even if someone does get a hold of your e-mail address and password, they still won’t be able to log in if they don’t know the answers to your questions.
Some problems with secret questions
In my experience, there are two major problems with secret questions. The first is poorly thought out questions. The second is more systemic, in that most Web sites assume each account belongs to only one person. Let me explain both.
A secret question should ask for an answer that never changes. In most cases, this will be historical information. For example, “On what street did you grow up?” or, “What was the name of your first pet?” Those are questions about historical life events. The answers will never change.
Other questions might have different answers, later on. These are poor questions to use as secret questions. For example, any question that contains the word favorite, is probably a bad one. “What is the name of your favorite restaurant?” “Who is your favorite author?” The answers to those questions might be different next year. Even historical questions can have shifting answers, depending on your mood, or state-of-mind. “Who was your best friend in high school?” “What was the name of your first boyfriend/girlfriend?” For some, the answers to those questions are absolute. For others, they may be more vague.
One account ≠ one person
My wife and I each have financial accounts in our own names, but I generally do the bills. This means that I need to know the answers to her secret questions (and she needs mine, in case I’m not around). While I generally remember her relative’s names, I don’t necessarily have, on the tip of my tongue, her first pet’s name, or the name of her favorite high school teacher. I’m forced to write this information down, which partially defeats the purpose of having a secret question in the first place.
This is a big problem in business. Most small businesses have a single account for each financial institution. This means that the bookkeeper and the boss and maybe the office manager all use the same accounts to log on to the bank’s Web site, their credit card processing account, etc. That is a very bad security practice. It doesn’t allow for any accountability, and it creates a mess if someone leaves. Unfortunately, many Web sites do not allow multiple accounts to access the same data, and there’s not much we can do about that. It’s an industry problem that the industry needs to fix.
Secret question best practices
As promised, here is my list of secret question best practices:
- Always choose secret questions that have definite, non-changing answers. Avoid, when possible, questions that include superlatives (most, least, favorite, worst, etc.).
- For answers, use single words whenever possible. Always use the simplest possible answer. If you grew up on Elm Street, use Elm as your answer. That way you won’t wonder later if you used Elm St. or Elm St or Elm Street.
- Be consistent in your capitalization. I don’t know if most secret questions are case-sensitive or not, but it’s best to be safe.
- If you are prompted to create your own secret question (rather than choosing one from a list), follow the same guidelines as in #1 above.
- If more than one person needs access to a service, create separate accounts when possible. Each account should have its own secret questions, so you won’t have to write them down.
- If you do need to record the answers somewhere, treat secret question answers like passwords. Do not store them on a piece of paper under your keyboard, or put them in a Word document on your desktop. Take the same precautions you would with passwords.