13

When a website asks me to enter security questions in addition to a password what is best practice on my part? This often happens with banks and other institutions but I see it less with other websites.

Should I choose the most obscure questions that are difficult to guess? Or should I just enter a gibberish password and save that in addition to my regular password?

Improve this question
4
  • 1
    In that case the security question becomes your password, so you should follow the same rules you follow when generating passwords.
    – user42178
    Commented Dec 21, 2014 at 5:41
  • 2
    Try to avoid questions that its answer to are easy to find on social media etc. I know this is a no brainer, but worth mentioning I guess.
    – Jeroen
    Commented Dec 21, 2014 at 6:08
  • Nowadays, information gathering is so easy.Everyone share most important information on social media.If question is so simple and not changeable , you can give different answer.For example question:Where were you born? Answer:1900.
    – dgn
    Commented Dec 21, 2014 at 12:09
  • Those are good points, but are there any best practices? e.g. just always use a new password for each security question? Or will some institutions not allow that?
    – Fernando
    Commented Dec 21, 2014 at 18:36

1 Answer 1

Reset to default
11

The best practice by far is to chose any of the questions but enter random text as the answers.

As others have said in the comments, it is far too easy to discover the answers to most of the well-used questions now.

Of course, this requires you to carefully keep track of the answers and be able to get hold of them when required.

Generally I use Keepass as a password store and this supports additional QA security as well as the enter n characters from a password type entries. It is well tried and trusted and has 3rd party versions for pretty well all platforms including mobile ones.

Improve this answer
9
  • 3
    +1. The only potential drawback of this is that you might sound a bit odd in you need to authenticate yourself on any phone call with the service. Q: What's your first pet's name? A: xyX777&kjNoPo033h.a
    – SilverlightFox
    Commented Dec 22, 2014 at 11:16
  • 6
    :) It does confuse the heck out of call centre handlers if you ever need to use them over the phone! I generally chose a word, after all, they aren't passwords so they don't need to be totally random. Q "Whats your favorite pet?" A "New York".
    – Julian Knight
    Commented Dec 22, 2014 at 11:44
  • 2
    You don't have to choose random letters, just the "wrong" answer: Q-mothers maiden name A:Rumpshaker
    – Jim B
    Commented Dec 22, 2014 at 16:09
  • 1
    Perhaps your answer doesn't have to be really random, but it does have to be secure, i.e. not guessable, not repeated for different online accounts, and resistant to whatever attacks the service is vulnerable to. Given the sloppy way security is often implemented, that might even include a way for an attacker to try all English words or common phrases. Sigh. What a bother. Now we have multiple "password-equivalents" to manage per account.
    – nealmcb
    Commented May 20, 2019 at 0:13
  • 2
    A diceware-like answer (with words that are easy to spell) is the way to make phone call authentication less tedious. It doesn't eliminate the awkwardness but it does make the other person's job easier.
    – Future Security
    Commented May 25, 2019 at 14:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .