By Igor Magun
Security questions are a bad idea that we need to do something about.
They’re used by some online services to ensure only you can request a password reset. They ask questions that, in theory, only you can answer. But if a hacker needs to find out your first pet’s name, your favourite food, or answers to other common security questions, there’s an increasingly good chance they can find it on Facebook or Twitter.
Of course, you could try to avoid mentioning any potential answers to security questions online, but this is impractical and frankly shouldn’t be the case.
Besides, answers to certain questions can be very common—popular pet names will come up more often as answers, for instance—making them easy to guess.
In short, online services need to get rid of security questions. Although many have moved on from them, some major banks and airlines still use them, among other services. One possible solution is to use two-factor authentication instead.
If a hacker needs to find out your first pet’s name, your favourite food, or answers to other common security questions, there’s an increasingly good chance they can find it on Facebook or Twitter.
Our Biz & Tech section has covered two-factor authentication before but simply put, it involves using a second “factor” to authenticate someone when accessing a service. A factor can be something you know (a password), something you have (your phone), or something you are (your fingerprint). Ryerson recently introduced such a system for my.ryerson accounts, using an authenticator app to generate a code on your phone that you use in addition to your password to log in.
A similar system could be used to replace security questions when you reset your password. Hacking or stealing your smartphone is a lot more involved and carries more legal risk, than Googling the answers to your security questions. This makes it a more effective way to protect your account.
But until security questions are killed off, there are some things you can do to make your answers strong. You never want to use real answers, but you should also make sure your answers aren’t easy to guess. References to pop culture probably aren’t a great idea here.
Article continues below
If you use a password manager (which I highly recommend), you can just generate and store a random “answer” to each question the same way you would generate a new password. Even if you don’t have a password manager, you could come up with an answer that is complete gibberish and write it down in a safe place.
It might raise a few eyebrows if you ever need to call your bank and tell them that your first pet was named “$q25s%34!,” but until we get rid of security questions, you can bet nobody’s going to guess that.