Signing up for a new account can be a chore based on the website’s security settings. As you’re going through the form, you’ll often encounter a field with a security question. It’s a question that only you are supposed to know the answer to, and in case you lose your password, this is the question that helps you recover it.
Most people type the answer without thinking twice. After all, the question is supposed to protect you from the bad guys, right? If you too think that, you’ll be surprised to know these questions are often the weakest links in your security chain. There are multiple ways hackers can steal your security question answers, which is why I’ve stopped using them altogether wherever possible.
Security questions only create the illusion of protection
Security questions fail as a modern security layer
The concept of a security question sounds great on paper. You pick a question from a predefined list that only you know the answer to, and it becomes a backup key to your account if you ever forget your password and need to reset it. The problem here is that this supposedly secret information is rarely secret at all.
Your mother’s maiden name? Your family members know it, your friends know it, and it might even be sitting in a public records database. The city where you were born? That’s probably right there on your Facebook profile.
A study conducted by Google analyzed hundreds of millions of security questions and answers from real users showed the fundamental flaw: answers to security questions are either somewhat secure or easy to remember, but rarely both. In other words, the questions you’ll actually remember the answers to are the same ones that a hacker can either guess or find the answer to with some basic stalking or social engineering. The ones that might actually be secure, you’ll have a hard time remembering the answer yourself, and hence they’re less likely to get picked. Nearly 40 percent of English-speaking users in the US admitted they couldn’t remember their own security question answers when needed.
Most security questions are surprisingly easy to guess
Why predictable answers make accounts vulnerable
Most security questions are absurdly guessable. According to the same Google study mentioned above, an attacker has a 19.7 percent chance of guessing an English-speaking user’s favorite food with a single attempt—the answer being, unsurprisingly, pizza. With just 10 guesses, an attacker has a nearly 24 percent chance of figuring out an Arabic-speaking user’s first teacher’s name. For South Korean users, 10 guesses give an attacker a 39 percent chance.
Those numbers are significantly worse than password security. A 20 percent chance with one guess means roughly one in five accounts using that question is vulnerable to the simplest possible attack. This isn’t some theoretical exercise either. Google researchers found that people who try to play the system by providing fake answers actually make things worse. About 37 percent of users admitted to faking their answers to make them harder to guess, but in practice, these fake answers are actually easier to guess.
Real attackers don’t guess—they research
How attackers gather personal information online
If studies aren’t convincing enough, there have been real attacks that exploited these vulnerabilities. In 2008, during the US presidential campaign, a college student named David Kernell broke into vice-presidential candidate Sarah Palin’s personal Yahoo email account. He didn’t use a sophisticated hacking tool or an online vulnerability that wasn’t patched in time. He used Yahoo’s password recovery feature, looked up Palin’s birthdate and ZIP code on Wikipedia, and answered her security question—where she met her husband. The whole hack took less than 45 minutes, according to a 4Chan post the hacker made, as reported by the Wired.
Another prominent example is the Paris Hilton attack from 2005, where hackers accessed her T-Mobile Sidekick account by resetting her password using a security question asking her favorite pet’s name. Hilton’s pet chihuahua, Tinkerbell, was itself a minor celebrity. The answer in this case was essentially public knowledge, and within hours, Hilton’s private photos, celebrity phone numbers, and personal notes were all over the internet.
Both of these cases highlight the problem with security questions. They assume the answers are private, but in a time of oversharing on social media and readily accessible public records, that assumption is outdated. This is obviously worse for celebrities and public figures, but just because you don’t have millions of social media followers doesn’t mean you’re safe.
How oversharing fuels account takeovers
With social media, security questions have turned into an open book. Posts about pets, hometowns, favorite foods, and even high school mascots are routine, and they’re all common security question topics. Attackers now don’t even need to be especially clever or skillful. A few minutes of stalking someone’s social media account can give you the answers to most standard security questions.
The odds for an attacker increase with social engineering. An attacker might call you or send you a convincing email pretending to be from your bank, your employer, or a tech support team, and easily get the answers they need during what seems like a routine conversation. It’s a low-tech attack that plays with human trust rather than technical vulnerabilities, and it works disturbingly well.
Security questions belong in the past
There are better authentication methods to use today
Using two-factor authentication (2FA) wherever you can is the best way to secure yourself. An authenticator app like Proton Authenticator, Google Authenticator, or 2FAS generates time-based, one-time codes on your phone that expire every 30 seconds. Unlike security questions, these codes can’t be guessed by browsing your social media or digging through your public records. For even stronger protection, physical security keys like YubiKey are resistant to phishing entirely. Sure, you can catch phishing attacks with ChatGPT, but it’s best to avoid them altogether.
The 9 Most Common Tricks Used to Hack Passwords
Want to figure out someone’s password? Review your life choices. Learn how to protect your password from hackers instead.
Most modern services have dropped security questions in favor of 2FA, but if a service forces you regardless, treat the answer as a password. Instead of simply typing out the answer to the question, use a string of letters, numbers, and characters and store it in a password manager. The answer doesn’t need to make sense; it just needs to be something only you know.
To be honest, security questions had their time, but that time is now gone. They were designed for an era before social media and public information got this easy to access, and before hackers realized that the easiest way to hack an account isn’t through passwords—it’s via everything you’ve already told the world about yourself.
