How secret are secret questions?

Next story

The secret questions and answers you use to recover an account should be secret right? That might be harder to do than you think. 

Mother’s maiden name? Where were you born? Name of your first pet? Everyone is familiar with these questions and no doubt you’re familiar with the answers. The problem is that all your friends, family and potentially anyone on your social media could be pretty familiar with those answers too. 

Google have endeavoured to analyse how secure and effective the secret question/secret answer system is, specifically when deployed on their services. Read the full reporthere.

The problem isFacebook

A Facebook profile can be a treasure trove of information for the budding social engineer which can take very little effort to access, particularly if your privacy settings aren’t up to snuff. Of course the same could apply to any social profile but Facebook generally features the most personal info.  

Your DOB, significant others name and DOB, where you live, where you have lived, your family and subsequently their DOBs, addresses, maiden names, wedding anniversaries etc.

Not only is it a treasure trove but, as you might have noticed, it contains the answers to a great many of the standard cookie cutter secret questions.

As a slightly tangential point: all those ‘fun’ Facebook quizzes that ask you for your mother’s maiden name, first pets name, road you grew up on and spit out your superhero name? They may be perfectly innocent but if you answer honestly you’re handing over the answers to some popular account recovery questions.

Remember honesty isn’t a requirement: Facebook aren’t going to fact check you and decline your secret answer if it isn’t the truth. So long as you can remember it your mother’s maiden name could be Godzilla, or Yy5q$e4VSRFK.  

Strong secret answers

Luckily Jake Moore, ESET Security Specialist, is here to give us some advice on how to develop strong, memorable and secure secret answers.

“Try wrapping the answer you would normally use in a code to obfuscate the answer: a simple formula which you can remember but makes your secret answer very difficult to guess. 

“An easy one could be the first and last letters of your mother’s name, so if the question is “what is your favourite colour” and your answer in pink, if you mothers name is “Sarah” then your answer would be spinkh, simple for you to remember but not easily guessed.”

Alternatively, as Google and Jake suggest, companies and users could make use of one-time-passwords or text alerts when resetting or recovering a password or username.

“OTP or one time passwords are a good general way of validating who you are, of course, it's not foolproof but it’s a lot better than just sending an email.”


Are you honest with your secret questions and answers? How many accounts do you protect with it? Let us know on Twitter or LinkedIn.