It’s been a while since I’ve had to type in some stupid answer to a made-up question when creating an account on a new service. You know what I’m talking about: Forget your password, and you can regain access to your account by typing in the name of your first pet (Mr Mrglglrm), your favourite sports team (Saskatoon Sirens), or the street you grew up on (Third Street).
If you haven’t heard, these kinds of Q&As are horrible for security, because it’s a lot easier for someone to figure out these answers than brute-force a complicated password or passphrase.
The obvious solution to this simple problem is to create dummy answers whenever you’re forced to answer questions such as these, but there’s a catch-22: Make up an outright lie, or some crazy combination of letters and numbers, and you might forget your fake answer when you need it most.
At best, you’ll have to get in touch with the company and beg to regain access to your account; at worst, you’ll have no way to verify that the account belongs to you, and you’ll be out of luck.
Here are a few ways you can tackle this problem, ranked in order of effectiveness:
Lie, But Only A Little Bit
When a service asks you to type in the name of your first musical as an account security question, you don’t have to tell the truth. If you first saw The Phantom of the Opera as a child, you could always say it was Hamilton. Or Heathers. Or don’t even pick a musical at all. Go with The Nightmare Before Christmas (which really should be a musical, but I digress).
As long as you can remember your little white lie, it’ll be harder for someone to break into your account by finding something you posted online that would give away the actual answer to the question at hand.
You know those corny movie scenes, where someone hacks their boss or girlfriend or enemy's password by looking around the room and making two guesses? In real life, that would work way more often than it should. Check out this list of the 25 most-used, and thus most hackable, passwords of 2017.
Treat Your Q&A Like A Password Prompt
If you want to get a little crazier, you can always obfuscate your answer in a more creative way. Take Kate Kochetkova’s approach, from the Kaspersky blog:
If you want, you can change the answer to even the worst security question ever such that nobody could guess it — what is your mother’s maiden name? XCU*(&S1042! — but of course, you need to be careful not to confuse yourself as well.
As a better option, you might take the maiden name Woodhouse and strip it down to the consonants: wdhs. Evenly intersperse the birth date 04.08.80 to get 04wd08hs80. Not a brilliant trick, but much better than the original.
You’re now even more secure than before, as you’re using some obscure combination of numbers and letters instead of a dictionary-guessable name.
That won’t prevent a strong brute-force attack, but it’ll at least beat anyone who is just typing in random permutations of cities, pet names, or whatever else the answer could have been.
The downside? Something like “J2uS*SD12(#..sfa!” is going to be tricky to remember. And the last thing you should do is write it down somewhere — be it a sticky note on your monitor or a text file on your desktop — unless you’ve placed your list of answers in a secure location. On to solution number three!
How do you create a strong password? Easy. You mash your keyboard for a few seconds until you have a 50-character hunk of gibberish, then you copy and paste that into a password manager so you don't have to actually remember what it is.
Use A Password Manager To Store Your Q&As
Yes, your password manager isn’t just for passwords. Assuming your LastPass or 1Password account is secured with a strong password itself, two-factor authentication, and any other tricks LastPass or 1Password offers, you can store answers to account questions in there, too. (Yes, there are many other options beyond LastPass and 1Password; those are just our favourites.)
If you’re a LastPass user, you can drop your answers into the service’s “Secure Notes” section (and require a password prompt to access it, if you want), or directly into the notes of any saved site:
If you’re on 1Password, the process is similarly easy. Drop your answers into a secure note, or just create a custom field for any site entry, and leave your account recovery Q&As there. That’ll look something like this:
The best thing about using password managers to store account security Q&As is that you can even have these apps create your answer for you. (An “answer” is just another password, after all.) If you do, you might need to chill out on the craziness — no symbols, for example — if the site or service you’re using doesn’t let you say that your first car was a “[email protected] @$$US0RD”.