Online security: The password-recovery questions you should be answering

By J. Carlton Collins, CPA

Q. What security questions should we ask of our employees to confirm the identity of those employees digitally changing their login passwords?

A. In 2008, a 20-year-old college student hacked the Yahoo! email account for then vice presidential candidate Sarah Palin because he was able to figure out the answers to her password security questions by using Google searches to find her ZIP code, birthdate, and where she met her husband. Today, with so much of our personal information available on social media, many common security questions are not as secure as they once were. Some of the more common security questions with answers that might sometimes be found on one's social media pages include the following:

  • What is your mother's maiden name?
  • What is the name of your first pet?
  • What was your first car?
  • What elementary school did you attend?
  • What is the name of the town where you were born?

I think we've reached a point in which organizations and individuals need their security questions to produce more formidable hurdles for would-be hackers. The challenge for organizations is to not make the security questions so difficult that users are unable to remember their answers later. To be useful, a better security question should:

  • Be fairly easy to remember, even years later.
  • Contain thousands of possible answers, so it's not easily guessed.
  • Not be a topic frequently found on social media.
  • Have an answer that never changes (e.g., your favorite color or dream car might change over time).

Given the above suggested criteria, you might try to come up with more challenging security questions that have answers not typically revealed on social media, such as the following:

  • When you were young, what did you want to be when you grew up?
  • Who was your childhood hero?
  • Where was your best family vacation as a kid?

Still, the problem with all security questions, no matter how difficult they are, is they are intended to be simpler to use than passwords because the question itself is supposed to trigger your memory. To combat the more simplistic nature of security questions administrators often ask, end users might consider protecting themselves further by providing random answers that cannot be researched or guessed. In effect, I am suggesting that your answers be more random so they act more like a password. For example, instead of providing your mother's ­actual maiden name, you might provide the made-up name Aphrodite1234!, which resembles a password more so than a name. While this approach may defeat the purpose of simpler security questions, it probably would result in greater security.

About the author

J. Carlton Collins ( is a technology consultant, a conference presenter, and a JofA contributing editor.

Submit a question

Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to We regret being unable to individually answer all submitted questions.


Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.