Secret Questions and Their Predictable Answers

What is your mother’s maiden name? What is the name of your favorite pet? In what city were you born? What is your favorite sports team?

You have likely been asked these questions before – and you willingly answer them without giving a thought to the security of your online accounts.

Many popular websites today use pre-defined “secret questions” to help users recover forgotten passwords or to restore an account that has been locked or expired. The idea behind the secret question is to provide an authentication mechanism to prove that the user is who she/he claims to be. The use of secret questions to manage password resets remains popular with website operators because it reduces the need for human resources (a.k.a. technical support personnel) to facilitate this task.

Though this low-friction solution to password resets is cheap and convenient for users, it also creates a significant security flaw: some of the often used secret questions presented to users are almost trivially easy to guess or have answers that are easily searchable via any number of online channels. Consider a secret question such as, “What is your favorite color?” Statistically and practically speaking, the vast majority of users will choose from 9 or 10 colors (ROY G. BIV along with white and black). Few of us will choose “gamboge” or “fandango” as the answer. Other common secret questions (like the ones above) are equally flawed in their predictability.

Your trouble may compound if you are a user of social media, since you have increased the likelihood of publishing seemingly “uninteresting” facts about yourself for the world to see (where you live, work, go to school, like to eat, etc.). For the bad guys, those “uninteresting” facts may provide the keys necessary to facilitate account hijacking by guessing the answers to your secret questions.

So how can you protect yourself? Thankfully, many (but certainly not all) popular web sites have implemented new security controls to limit an attacker’s ability to compromise a user’s account (though these controls are not yet widely adopted by users since they add a layer of inconvenience).

At a minimum, you should consider making the answers to your secret questions as random as possible. If the secret question is “In what city where you born?” make the answer something like “banana.” It is also a good idea to have different answers to the same secret questions (do you use the same secret question for Facebook and your banking website?). Keeping track of random answers to easy-to-guess secret questions may be a challenge, but considering the risk to your personal or professional reputation, it may be worth the effort.

Users of will note that the site allows the user to create a unique secret question (versus a pre-defined list). This offers users an opportunity to get creative!