Can you be too personal with “Personal Security Questions?”

Short answer?  “Personal security questions” aren’t secure.  Irony, right?  Don’t use personal information to answer those”Personal Security” questions.


Nihilistic Password Security Questions image from the awesome "This isn't Happiness" blog

Nihilistic Password Security Questions image from the awesome This isn’t Happiness” blog.

Mother’s “maiden” name? Hospital where you were born? First school you attended? Best friend in high school?

Hmm. Let’s say someone was, oh, say, an identity thief. And let’s say they happened to have access to any of the 5,000+ lists of nearly one billion hacked user accounts from the likes of Target, Home Depot, Experian, the Office of Personnel Management, T-Mobile, Ashley Madison, and (well, it’s a very long list.)  And let’s say nearly all of those hacked sites stored your personal security questions in plain text?

How hard would it be for them to gain access to your other email addresses?  Your tax records?  Your school records?  Your work accounts?  Your social media accounts?  Your bank, and brokerage, and mortgage and… again, well, another long list?  Yikes!

You might change your password regularly, but how often does your mother’s “maiden” name change?

So… my advice when answering “personal security questions?”  Be anything but personal when answering them!

So what to do instead?  Sort of like passwords pick to or three random words, a nursery school name, or (if you’re sneaky) something that’s absolutely not true about you.

Example #1

  • Mother’s maiden name? “old mother hubbard”
  • Best friend in school? “old mother hubbard”
  • First phone number you remember? “old mother hubbard.”

(Note: in addition to often being stored as plain text security questions are rarely checked for repetition.)

Example #2

  • Favorite team? “go cougars” (especially if you’re a Huskies fan)
  • Mother’s maiden name? “go cougars”
  • Make and model of your first car? “go cougars”

Answer personal questions anyway you want, in other words, as long as you don’t give personal answers.

Posted in , tagged with: #, #

David Innes,

I've been building and maintaining websites since 1997 and building and supporting similar hypertext-driven software since 1987. I've done maintenance, support, and maintenance for physical and digital systems since 1981. And no, I still haven't seen it all but by now I usually know where to look. More about David Innes...