Don’t Use Hopelessly Vague Security Questions

Don’t Use Hopelessly Vague Security Questions

Password reset questions may seem like a necessary evil if you’re building any kind of system which requires users to log in. However, the process becomes utterly pointless if you make the questions so vague as to be too hard to remember.

Questions picture from Shutterstock

Gartner analyst Jack Santos make the point well in an analysis of the password reset questions which Apple uses on its site. Some questions (such as “What was your mother’s maiden name?”) are unambiguous but often easy for hackers with an individual target to research. Others (such as “What was the first album you purchased?”) can be difficult to remember, which obviates their usefulness. And some (“What was the name of the street where you grew up?”) may well have multiple answers.

There’s no sure-fire solution to this issue, but it pays to be aware. One other reminder: you can’t set an arbitrary minimum length for most of these answers. Some maiden names are short.

The Travesty of Security Questions [Gartner Blogs]


  • This is why I prefer sites that let me specify both the question and answer. That way I can use a question (one of mine is ‘Mad cows?’) that has an immediate answer to me that is completely unintuitive to the question itself.

  • I tend to associate one question with another. For example what is your mother’s maiden name could mean what primary school did you go to. This makes it impossible for hackers to gain access to my account without doing a dictionary attack.

  • Or how about treating security questions as secondary passwords? Simply pick one or two extra passwords that you can plug in and just simply pick random security questions. It won’t matter since you know password 1 goes with the first question and password 2 goes with the second.

Log in to comment on this story!