May 14, 2019
Multi-Factor Authentication

How to Make Security Questions More Secure

John Wu headshot
John Wu Senior Solutions Engineer
Security questions

The use of security questions as two-factor authentication is one of the more popular options. Security questions don’t rely on smart phones or hard tokens, making them highly convenient. However, users tend to create weak or easy to guess answers, resulting in unsecure security questions.

Here are two simple tips to help make your security questions more secure:

1. Use an unrelated answer.

If the security question is your mother's maiden name, don't use your real mother's maiden name. Answer with something completely unrelated like a pass phrase or a random string of letters and numbers. Ignore what the question is asking and treat security questions like a second password field. Answers to security questions might be easily acquired through phishing, social media, social engineering, stolen or public records, malware, or easily guessed, so be sure to use an answer that is unrelated to the question.

2. Make it complex, but easy to remember.

Users tend to create short or simple answers for security questions, which makes it vulnerable to guesses or brute force attacks. Another way to make security questions more secure is to make the answer complex like a strong password, but easy to remember.

A simple method for making complex but easy to remember answers is to use a passphrase of four words. Four words are harder to crack than eight random numbers and characters. The longer the better.

Password strength
By XKCD.com

Make sure these four words are not part of “song lyrics, common sayings, or well-known phrases. Strong passphrases include strings that are not dictionary words and contain special characters, such as ampersands, commas, and periods. A good passphrase should be unique but be easy to remember.(TechTerms)

Here are examples of weak passphrases:

  • Unicornfrappuccino
  • Guardiansofthegalaxy
  • Passphrase123
  • MydogisSpot

Here are examples of strong passphrases:

  • P!zza3atinglikeI (Talk like Yoda. Say it backwards.)
  • Sp@t is dog m4 (Use spaces to help make it longer.)

Conclusion

Using security questions for two-factor authentication is simple and convenient, but it becomes unsecure if the answers are too easy to guess or crack with brute force. Make security questions more secure by answering with something unrelated to the question. Treat security questions like a second password by using a passphrase that is complex but easy for you to remember.