NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Reused Security Questions can Pose a High Risk: Learn Tips & Tricks to Mitigate the Threat

June 5, 2020

  • Blog
  • Archive

Every individual who has online accounts to access services or applications invariably has had to establish answers to security questions. We logon to a new bank account, social media service, or check out our favorite online paid service, and we are required to enter responses to security questions. The purpose of these questions is to periodically re-affirm our identity, or to regain access if we forget our password, by providing our answers.

Here are examples of some common security questions:

  • In what city were you born?
  • What is the name of your favorite pet?
  • What is your mother's maiden name?
  • What high school did you attend?
  • What is the name of your first school?
  • What was the make of your first car?
  • What was your favorite food as a child?
  • Where did you meet your spouse?

Why Are Common Security Questions a Problem?

The problem with these security questions (and with our answers) is that they become a liability when the results are leaked online, such as through a data breach, or become public knowledge. Why? Because many (in fact, thousands) of sites potentially use identical security questions. The variation from site-to-site is low, and questions for each user frequently, and inevitably, overlap across their many accounts. This standardization of security questions creates a substantial, but unnecessary, risk.

The threat of re-used security questions is comparable to that of reusing passwords. Security pros, and end users, should know that they should never repeat a password across accounts. This is because, if one account is compromised, that password is out there in the wild attached to your credentials/identity and could be used for a future attack against any account you own that has the same credentials. When passwords are re-used across dozens of accounts, the compromise of just one account could potentially lead to the compromise of all of the other un-related accounts.

How Do I Make My Security Questions Stronger?

While we do usually have control over the passwords we choose, as individuals, we do not have the power to change the questions that these websites and services ask. However, we can answer these security questions in creative ways that make our accounts more secure and eliminates the threat of multiple accounts being compromised. Here is some basic guidance on how to accomplish this:

1. As much as is possible, do not select the same security questions across multiple sites. Keep your selections unique when the site allows you to pick your own questions. This will help limit the fallout and compromise of other accounts if the security question/answer is ever leaked. This is especially important for public figures whose history may be a part of public record or biographies posted on websites. For example, we all know the city our favorite musician or actor was born in, right?

2. Do not answer security questions in plain English (or your native language). That is what is expected, but it’s a security misstep. Treat your answers like passwords and introduce complexity in your response and its characters. For example, let’s say I was born in Little Rock, Arkansas. The security question for, “what city where you born in” would require the response, “Little Rock”. Now, add some password complexity. The new entry could therefore be, “L!ttl3 r0ck”. This answer is more difficult to guess or crack through automated tools and provides a simple layer of obfuscation to protect your security question responses. And, if anyone ever asks, you can honestly state that of course your mother’s maiden name does have numbers and symbols in it. Doesn’t yours?

3. In many instances, the best course of action is to provide fictitious information to these questions to keep them unique. You could use a personal password manager to populate the answer fields with password-like responses. Then, store each question and response in your password manager. For example, for an ecommerce site, you could create the entry “ecommercesite.com/question_birthcity” as the account and then enter a random, recommended password as the security response. This provides the secure storage you need in case of a password problem, while keeping your answers to same security question completely random and unique across sites and applications.

Why Mitigating Security Question Threat Is Important

Security questions were designed with the intent of strengthening identity validation for access to applications and websites, particularly in the case of a password issue or other fault. However, just as with password reuse, reusing security question and answer pairs across multiple sites has enabled threat actors to compromise many accounts associated with an identity. Typically, this requires a hacker to compromise a secondary application as well, like email or SMS texting, in order to pair a password reset with the knowledge of these security questions. Unfortunately, some websites and applications do not even go that far and knowledge of a security question answer is sufficient to compromise the account.

For IT and security professionals interested in a more rigorous and thorough examination of all the ways identities (corporate and personal) are at risk or under attack, and the best strategies for protecting them, check out: Identity Attack Vectors: Implementing an Effective Identity and Access Management Solution, a new book co-authored by Darran Rolls, CTO at SailPoint and myself. You can also watch our joint webinar on-demand: Deconstructing Identity as a Cyberattack Vector.

Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.