Secret Questions Too Hard To Answer

passwordAs we have mentioned several times, humans represent the weakest link in cybersecurity.  This means we are terrible at creating strong passwords, and we are bad at remembering them, too.  So all of our online service providers have password reset systems that usually include a series of “secret” questions that are supposed to be both hard for an attacker to guess, but easy for the account holder to remember.  Unfortunately, this is not the case.

The problem is this:  questions that are easy to remember (mother’s maiden name, father’s middle name) are also easy to find online because they are a matter of public record.  Same with “first street address” and “name of high school.”  If this information isn’t in a public database, we have provided the answers in our Facebook or LinkedIn profiles.

So this leaves us with more obscure memorable questions, such as “who is you favorite actor.”  Unfortunately this answer is subject to change over time, and ultimately, most people find these answers hard to remember when they need them.  Other questions such as or “who is the first person you kissed” may be better, but are obscure enough that what you remember when you set it up may be different when you try to remember it.

The web site Good Security Questions (which is selling a list of “good” questions for $19.50) gives the following guidance for those developing security questions.

“What makes a good security question? A good security question produces answers that are:

  • Safe: cannot be guessed or researched
  • Stable: does not change over time
  • Memorable: can remember
  • Simple: is precise, simple, consistent
  • Many: has many possible answers”

According to a recent article on Sophos, in an effort to make their answers harder to crack, some people are providing false answers, but this just makes them harder to remember when needed.  Security researchers, (and probably several cyber attackers) have discovered that a well crafted phishing email will generate useful responses to security questions over 90% of the time.

The best solution for password reset systems is to use your cellphone and SMS text messaging to provide the necessary temporary credential to rest your password.  If your online providers offer this feature, you should be using it.  It is very difficult for an average attacker to have possession of both your phone and your online account.  a less secure alternative is to set up an alternate email account to use for password resets and other security purposes.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.