How secret are Secret Questions and Answers?

Next story


When creating an account for almost any online service you are prompted to enter your desired username, password and often provide an answer to a secret question; usually for use in password recovery. How secure is this system?

Mother’s maiden name? Where were you born? Name of your first pet? We’re sure that everyone is familiar with this kind of question.

Google have endeavoured to analyse how secure and affective the Secret Question/Secret Answer system is, specifically when deployed on their services.

Their findings are quite interesting, if not particularly surprising frankly, you can read the full report here.




The problem is Facebook. Not the service itself but the information that folks put all over it and not specifically Facebook but any social network really.

A Facebook profile is a potential treasure trove of information, particularly if your privacy settings aren’t up to snuff.

Your DOB, significant others name and DOB, where you live, where you have lived, your relations and subsequently their DOBs, addresses, maiden names, etc.

Not only is it a treasure trove but, as you might have noticed, it contains the answers to a great many of the standard cookie cutter ‘Secret Questions’.

As a slightly tangential point: all those ‘fun’ Facebook quizzes that ask you for your mother’s maiden name, first pets name and road you grew up on and spit out your hero name or whatever? We’re not saying they could be harvesting that information but maybe think twice. Or just lie!

Just lying isn’t necessarily a bad idea, so long as you have a system that is both easy to remember and secure, otherwise you risk falling into the trap of not knowing your Secret Answer when you need it.


Strong Secret Answers


Luckily Mark James, ESET security specialist, is on hand to give us some advice on how to develop strong, memorable and secure Secret Answers.

“As with any password or secret questions we need to be able to remember them, a lot of places use the same questions so having a formula to enable you to remember them is a good idea.

“Secret question answers are the easiest to work out in theory because the bad guys may already have a hint or clue on what it is going to be but that does not mean you need to make it easy for them.

“Remember that a simple formula for you is not a simple one for them, take your answer and wrap it in an easy to remember code.

“A very simple one could be your mothers first and last letter of their name, so if the question is “what is your favourite colour” and your answer in pink, if you mothers name is “Sarah” then your answer would be spinkh, simple for you to remember but not easily guessed.”

Alternatively, and as Google and Mark suggest, companies and users could make use of one-time-passwords or text alerts when resetting or recovering a password or username.

“OTP or one time passwords are a good general way of validating you are who you say you are, of course it’s not fool proof but it’s a lot better than just sending an email.”

Join the ESET UK LinkedIn Group and stay up to date with the blog.

Have you ever forgotten a Secret Answer? Do you make use of OPTs or text alerts?