When it comes to Internet security questions like “What was the name of your first pet?” it’s easier to stick with the truth than to type in something random—like the name of your favorite Bolshevik dictator—then, months down the road, try to remember what you did. So, usually, “Spot” it is. Unfortunately, as Stalin himself might say, “You make very big mistake.”
A new Google/Stanford analysis of hundreds of thousands of security questions found that most users’ answers are anything but secure: Many (“What’s your favorite color?”) are too simple or have too few possible choices. Others (“Where were you born?”) may be known to acquaintances, or can be easily learned by rifling through email you’ve left open, or doing simple research. And some may be used on other sites, making them vulnerable if there’s a data breach.
“Big deal,” you’re thinking. “It’s not like it’s my password.” Wrong again, says Patrick Nielsen of Internet security firm Kaspersky Lab. “Security questions can be used to access your accounts without your password—so, inessence, answers to security questions are passwords. That’s why you need to pick them with care.”
Below, the Lab’s top Q&A tips.
DO: Use a password manager—software that keeps track of your secrets and can be accessed only with a single password you choose. (Nielsen recommends kaspersky.com.)
DON’T: Use single-word passwords. Instead, switch to nonsensical “passphrases,” like “Consider the purple seahorse clicking the roof.” (But make up your own!)
DO: Make up fake answers for security questions, and store them in the password manager.
DON’T: Use the same answers on multiple websites. Ever.
DO: Wherever possible, use sites with two-factor authentication, which asks you to verify your info a second way—e.g., by text or e-mail.