Security guide

How to Use Security Questions (Password Recovery) Safely

Security questions are a recovery option for when you forget your password, but used poorly they become a back door into your account.

Why they're risky

The answers to security questions can often be easily guessed or searched from social media, public profiles and your circle of acquaintances. The school you attended or your pet's name may already be public.

Attackers gather this information (social engineering) and attempt a password reset. The more truthful the answer, the more dangerous it is.

How to answer safely

Don't use the real answer to the question as-is.

  • Instead of the real answer, make up and use a random string (a fake answer)
  • Use a different answer for each question
  • Avoid questions that can be guessed from public information
  • Store the answers you made up in your password manager as well

Replace with 2FA when possible

Two-factor authentication is far safer than security questions. If a service offers 2FA, use that first, and set up security questions only minimally when they're truly required.

Managing your answers

Because fake answers are hard to remember, you must record them. If you keep each answer safely in your password manager's notes or security-question field, you'll have no trouble during recovery.

Back to guides