Online security: The password-recovery questions you should be answering

Q. What security questions should we ask of our employees to confirm the identity of those employees digitally changing their login passwords?

A. In 2008, a 20-year-old college student hacked the Yahoo! email account for then vice presidential candidate Sarah Palin because he was able to figure out the answers to her password security questions by using Google searches to find her ZIP code, birthdate, and where she met her husband. Today, with so much of our personal information available on social media, many common security questions are not as secure as they once were. Some of the more common security questions with answers that might sometimes be found on one’s social media pages include the following:

• What is your mother’s maiden name?
• What is the name of your first pet?
• What was your first car?
• What elementary school did you attend?
• What is the name of the town where you were born?

I think we’ve reached a point in which organizations and individuals need their security questions to produce more formidable hurdles for would-be hackers. The challenge for organizations is to not make the security questions so difficult that users are unable to remember their answers later. To be useful, a better security question should:

• Be fairly easy to remember, even years later.
• Contain thousands of possible answers, so it’s not easily guessed.
• Not be a topic frequently found on social media.
• Have an answer that never changes (e.g., your favorite color or dream car might change over time).

Given the above suggested criteria, you might try to come up with more challenging security questions that have answers not typically revealed on social media, such as the following:

• When you were young, what did you want to be when you grew up?
• Who was your childhood hero?
• Where was your best family vacation as a kid?

Still, the problem with all security questions, no matter how difficult they are, is they are intended to be simpler to use than passwords because the question itself is supposed to trigger your memory. To combat the more simplistic nature of security questions administrators often ask, end users might consider protecting themselves further by providing random answers that cannot be researched or guessed. In effect, I am suggesting that your answers be more random so they act more like a password. For example, instead of providing your mother’s ­actual maiden name, you might provide the made-up name Aphrodite1234!, which resembles a password more so than a name. While this approach may defeat the purpose of simpler security questions, it probably would result in greater security.

About the author

J. Carlton Collins (carlton@asaresearch.com) is a technology consultant, a conference presenter, and a JofA contributing editor.

Submit a question

Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to jofatech@aicpa.org. We regret being unable to individually answer all submitted questions.