Proton
Subscribe by RSS
The cover image for a Proton blog about whether security questions are safe. The image shows two password fields, one with a shield containing a question mark and one with a triangle containing an exclamation mark

Are security questions terrible for account security?

Edward Komenda

Share this page

One of the most common cybersecurity measures we’ve all dealt with is security questions. You’ve probably been asked to give your first pet’s name or the city you were born in to reset a long-forgotten password, but is this actually a secure way of verifying your identity? Much of this information is easy for you to forget but easy for others to find, making it a poor defense for your most valuable online accounts, personal data, and sensitive information.

Security questions are meant to help reset passwords, reopen locked accounts, and ultimately protect your digital spaces from attacks or breaches, but such safeguarding is widely considered flawed and unreliable(new window).

A massive Yahoo data breach(new window) highlighted the perils of relying on security questions to protect your accounts. The breach exposed the personal data of half a billion users, including their names, email addresses, phone numbers, and the security questions and answers they used for account recovery.

This article will explore why security questions are actually terrible for your security and what measures you can take to better protect your most sensitive private data. 

What are security questions?

When you’re locked out of an account, it’s common to face security questions to regain access or reset passwords. This gatekeeper layer of security is used across many platforms, from email and social media to banking and shopping websites.

Answers to security questions are supposed to be information only you and a select few people know — in theory, the more obscure the answer, the better the security. However, the recommended security questions on the website you’re using might not be ideal.

Some common security question examples include:

  • What is your mother’s maiden name?
  • What was the name of your first childhood pet?
  • What is the name of your high school?
  • What is the name of the street you lived on as a child?

While all of the security answers are personal to you, they’re also not impossible for bad actors to find out. For years, experts have been questioning the effectiveness(new window) of this security layer. Too many vulnerabilities are created by requiring people to remember information that can be forgotten, changed, or discovered by potential attackers digging around on the internet. 

Why security questions are a terrible idea

There are several reasons why leaning on security questions to protect you is a bad idea. It comes down to a pair of unfortunate realities: Potential attackers are more clever than you might think, and there’s more personal information online than you realize.

Here’s why security questions are the weakest link of security measures:

  • Predictable: Popular security questions like “What is your favorite color?” can be too generic and easily predictable. When the pool of possible answers is small, it’s much easier for a potential attacker to guess.
  • Discoverable: In an age where people manage multiple social media accounts across several platforms, attackers can often find answers to security questions with a little digging into your public-facing profiles. They can build a profile of you based on your posts, exploiting publicly available information to bypass security measures and gain access to your account.
  • Forgettable: Favorites and life details change over time, often making it difficult for you to recall information at the moment you need to. This greatly diminishes the reliability of security questions as a security tool.

If a website requires you to create a security question, it’s still possible to create good security questions for yourself. Instead of focusing on traditional questions like those mentioned above, choose more obscure questions to which the answers can’t be found online. Some good security questions could include:

  • What is your eldest cousin’s middle name?
  • What was the make and model of your first car?
  • What was the name of your favorite teacher in high school?

As long as you’re not oversharing online, this information should be nearly impossible for a hacker to find. But that’s not to say that they can’t still crack the answers, because this mechanism simply isn’t secure: Even Google released a study(new window) contending that security questions are one of the worst ways to protect your online privacy(new window).

“40% of English-speaking US users have failed to recall their answers to security questions, according to Google,” reported Time(new window). “When the questions are very difficult, such as asking for a person’s frequent flier number, the recall rate drops to 9%.”

Beware of oversharing on social media 

By exploring your social media accounts, hackers can often obtain the information you use to reset passwords, particularly the answers to security questions. Data brokers can also collect this information to create an online profile of you to sell to advertisers. Make sure to limit or avoid sharing the following information:

  • Family names
  • Date of birth
  • Location of birth
  • What school you attended
  • Pet names
  • Any address, current or former
  • Details of your routine or locations you regularly visit

What’s at stake? Your data and privacy 

If the answers to your security questions are ever compromised, it can lead to widespread privacy violations.

  • Identity theft: With access to something like your bank account, it wouldn’t take much work for an attacker to impersonate you, open new accounts, or commit fraud with your stolen identity.
  • Compromised accounts: If the answers to your security questions are exposed in a data breach, any account tied to the answers of those questions can be in danger, as it’s common for people to recycle the same ones over multiple accounts.

What are better alternative security measures? 

f you have to create a security question and there’s no alternative, we’d recommend generating a secure password and saving it as a note in your password manager instead. This means you don’t have to remember the answer and can instead store it safely until you need it.

If you’re able to, consider using more effective — and reliable — authentication methods.

Two-factor authentication (2FA), also known as two-step verification, requires two forms of identification when you log in to an account. After you input a username and password, 2FA may have you enter a unique code generated by a mobile authenticator app, plug in a security key, or type in a code sent to your phone.

Here are three forms of 2FA:

  • Security key: Security keys, also known as hardware keys, help prove your identity when you’re logging in to an account, app, or device. This allows you to sign in to your account using a physical key, such as a YubiKey(new window), which resembles a thumb drive. If you choose to use a 2FA key with your Proton Account, for example, you must plug in your key every time you sign in.
  • Time-based one-time passwords (TOTP): You can use an authenticator app on your smartphone to generate six-digit passwords that regenerate periodically to keep codes fresh and make unauthorized access to your accounts difficult for potential attackers. Some password managers, including Proton Pass, have built-in 2FA code generators.
  • SMS messages: While convenient and user-friendly, text messages are considered the least secure of 2FA options. They’re vulnerable to SIM-swapping attacks, and SMS is unencrypted and not very secure, making it easier for hackers to intercept 2FA codes. If your account offers an alternative 2FA method, you should avoid SMS.

Best practices for online security

As cybersecurity threats become more sophisticated and common, it’s important to reassess security practices and the role security questions play in our defense against such attacks. Here are three ways you can enhance your online security right now:

Put your privacy first 

There’s no time like the present for taking control of your online security. You can start by using alternative tools, such as secure password manager and email services like Proton Pass and Proton Mail to strengthen your defenses.

It’s important to use the best tools available to build a future where privacy is the default.

Secure your emails, protect your privacy
Get Proton Mail free

Related articles

An illustration of a laptop and an open envelope
Lay the foundation for lasting business success with a privacy-first website using a secure domain and email from Porkbun and Proton Mail.
Flow, a wordless fable about a cat and other stray animals navigating a flooded world, was made with Blender, a free, open-source 3D animation tool.
A Latvian indie film that used open source tools beat Disney at the Oscars, proving open source can challenge industry giants.
A Bitcoin and a central bank digital currency coin
Learn how CBDCs could give governments new powers to control money and monitor financial activity and how Bitcoin prevents this.
A computer monitor, a box of case files, and a lock representing law firms that protect their information security
A simple guide to law firm cybersecurity. See how to protect business and client data, prevent breaches, and stay compliant with encryption.
The cover image for a Proton Pass blog about brushing scams, which shows a package with a warning sign above it
A brushing scam means your personal data has leaked online. Learn how to protect yourself with hide-my-email aliases and dark web monitoring.
An encryption lock breaking
Apple turned off its end-to-end encryption in the UK in response to a government notice. We look at what this means and how people in the UK can protect their data.