How to Easily Remember Answers to Website Secret Questions
Most of you probably know what a secret question is. In essence, it acts as a backup authentication system in case you forget your password. The idea is, upon account registration, you tell the website what your mother's maiden name is. When you misplace your password, you give the right answer and thus, you prove that you are who you say you are.
Although they still exist, the popularity of secret (or security) questions has declined significantly over the last few years. Today, we'll take a look into why they aren't as ubiquitous as they used to be, and we'll also go through some of the best practices when it comes to answering and memorizing them.
Table of Contents
Secrets on the Internet aren’t secret
Long ago, the Internet knew very little about you. You probably went by a nickname like "DemonSlayer" or "SpiceGirl1987," and you likely had a picture of a fictional character as your profile photo or avatar. Back in those days, bad guys had no way of knowing what your mother's maiden name is. They could have tried a few common names, but that would have been a lot of hard work.
This is no longer the case. You might be surprised how much information a few minutes worth of research can reveal nowadays, and because the Internet has become a place where you do business and communicate with friends and family, you now use your real name instead of a pseudonym. And this gives hackers a starting point.
Even if they can't be bothered to go through your Facebook profile and find out where you grew up, they can load a list of towns and cities into a special piece of software that makes thousands of guesses every second, and in no time, they'll have the answer.
It's obvious that secret questions no longer work as a secure secondary authentication system. Bafflingly enough, some service providers continue to use them. You have no other choice but to provide answers which you then need to memorize or store. There are good and bad ways of doing this.
Honesty will get you nowhere in this particular case
Here's a real-world scenario: If you're an active member of an online discussion board dedicated to Honda motor cars, it won't be too hard to guess what the answer to "What do you drive?" is.
Just in case you haven't figured it out by now, answering secret questions truthfully is a bad idea. It's just too easy to find tons of personal information in this day and age, and if it holds the key to your account, it could be game over pretty quickly.
Lying isn’t a great idea, either
Let's continue with the Honda example. Hackers can easily learn that you drive a Honda and you're aware of this, so you think you're quite clever in setting "Toyota" as the answer to the "What do you drive?" question.
We're sorry to break it to you, but you're not that clever. Obviously, Honda will be the hackers' first guess, but they're likely ready to make quite a few more, and Toyota is bound to be among them.
The answer doesn’t need to make sense
Now, if "Honda" or "Toyota" are answers to "What do you drive?", they won't keep the hackers out of your account for long. If you've used them to answer something like "What is your favorite dish?", however, you've made the crooks' lives considerably more difficult.
Ideally, the answer to your secret questions will not be seen by anybody else, and it doesn't need to make sense. In fact, the more absurd it is, the less likely it is to be guessed by the bad guys. The obvious problem with this is trying to recall whether the name of your dog was "spaghetti" or "purple." The less obvious problem is that this is still not the best way of handling secret questions. The next one, however, is.
Treat secret questions the way you treat your passwords
The answer to the secret question can give you (or someone else) access to your account, so, in effect, it's like a second password. Time to start treating it just like you treat your passwords.
If you're using Cyclonis Password Manager, you can take advantage of some of its features to create and store answers to security questions. It actually makes a lot of sense to do that.
When it comes to storage, you can open the Cyclonis Password Manager desktop application, got to Websites and double-click on the account you're about to protect. Then, in the Notes field, you can simply paste the secret question and answer combination. Alternatively, you can place them in a separate Private Note. And with the help of the built-in password generator, you don't need to worry about thinking of a completely random answer to a security question. As an added bonus, you can be pretty sure that nobody will be able to guess that you grew up in "?ZF#-b__=%!|8!$7@:G!@+Uh:!2?96?|".
No matter how you treat it, the secret question system will remain flawed
We already showed you how security questions should be treated in order to minimize the chances of someone breaking into your account. The problem is, even if you stick to the best possible practices, you still can't do anything if the database containing the security questions and answers gets exposed during a data breach. The issue is exacerbated by the fact that some dated authentication mechanisms mandate that employees need to have access to secret questions and answers which means that the data isn't stored securely.
As a result of all this, secret questions are slowly but surely making way for more robust authentication mechanisms. The fact that a website continues to rely on secret questions indicates that its owners aren't exactly up-to-speed on the latest security protocols, which should be something of a red flag to you. Nevertheless, if you do need to answer secret questions, make sure you're treating them like you would treat your passwords.
