Which security questions are good and bad?

What makes a good security question?

Many platforms ask you to choose a security question, which you will need to answer when logging in or resetting your password. But how do you choose a question that is difficult to crack, but easy for you to answer? Good security questions should have answers that are:

• Memorable. The answer to the question should pop into your head straight away, even if you’re logging in 2 years after you first created the account. Don’t make it the song you listened to on repeat 10 years ago.
• Unique. Security questions shouldn’t have multiple likely answers. Pick something that’s precise, simple, and straightforward. And don’t try to be cheeky and go with a fake answer, lest you outsmart yourself and forget it two months down the line.
• Consistent. It should be factual and not change over time. For example, your tastes in music might change, but the city you were born in won’t.
• Unpredictable. Don’t make the answer something others can easily guess or research. No one except you (and maybe the person involved in that specific life event) should know the answer. And don’t make the mistake of sharing such personal information on social media, or take Facebook quizzes that try to trick you into revealing this information!

Security questions you should avoid

Why are some security questions bad? It comes down to two reasons: they are too complicated or too simple. So people either forget their answers or their accounts get hacked because the answers were way too easy to guess. One way to avoid it is to never share this information anywhere and avoid answering security questions when signing up for websites with a questionable reputation. But all in all, it's best to avoid using weak security questions in the first place.

Let’s examine some bad security questions:

Bad:

• 

  In what city or town was your first job? – This information can be easily found on LinkedIn, or easily guessed if you’ve never moved to another city or country.
• 

  What primary school/high school did you attend? – This information can be easily found on LinkedIn or social media channels like Facebook.
• 

  What is your mother’s maiden name? – It may take a little bit of digging, but a hacker could find this information from social media or national registries.
• 

  What is your favorite movie? – This is a question without a consistent answer. Something you really liked yesterday might not be the movie you’ll love today, since new movies are released all the time and your tastes change.
• 

  What was your favorite sport in high school? – A weak question, especially if your Facebook profile is full of pictures of you playing rugby, cheerleading, or doing any other sport. And if it’s not, then there’s a chance that the answer can be guessed if you post a lot of articles about football, for example.

A list of good security questions you could use

• 

  What was the name of the boy or the girl you first kissed? – This is a good question as it’s personal — most likely you’re the only one to know the answer.
• 

  Where were you when you had your first kiss? – Like the last one, this is also a personal and stable question that not many people can answer.
• 

  In what city did you meet your spouse/significant other? – A good personal question with a consistent answer. However, the answer may be easy to guess, especially if you’ve never moved countries, haven’t traveled much, or married your high school sweetheart.
• 

  What is the middle name of your youngest child? – A great question if you have kids, since this information most likely won’t be available anywhere outside your child’s passport.
• 

  What was the name of your first stuffed animal? – A question that requires a consistent and specific answer. Not all kids have a favorite stuffed animal, but if you did, there’s probably no one else in the world who knows its name.
• 

  In what city or town did your mother and father meet? – It’s personal and specific. Only you and your family members will know the answer. This information most likely cannot be found on social media, either!
• 

  What is your oldest cousin's first and last name? – This one won’t work if you’re very close and your connection is easy to find online. But if you have a ton of cousins and don’t really keep in touch that much, it’s a great security question.
• 

  What was the first exam you failed? – It’s personal, specific, stable, and easy to memorize. An if you’re not prone to overshare online, this information won’t be found on your social media.

Is there anything else I can do?

Yes! First, limit the information you share on social media profiles and your posts. You don’t need to list your hometown on Facebook to create a profile. Have a look at these tips and reevaluate how you can make your social media profiles more private. This will make the hackers’ job way more complicated.

And if you are confident that you’ve chosen good security questions, but still think you may forget the answers, use a password manager. Many secure password managers, including NordPass, let you add notes to your passwords.

Want to read more like this?

Get the latest news and tips from NordVPN.

Subscribe

Subscribe

You've successfully subscribed to our newsletter!

Email is invalid

Subscribe

We won't spam and you will always be able to unsubscribe.