Funny enough, security questions have many questions that come along with them.
Questions like if they’re “case sensitive” to “if we should even use security questions at all”.
I want to address people’s more common questions about security questions and give you some tips to make better security questions.
Are Security Questions Case Sensitive?
Most websites don’t use case-sensitive security questions.
This is because a security question is just another password, but one you don’t often use, so complicating it with uppercase and other characters can get confusing.
They don’t want you to be locked out because you answered “bluestreet” when they wanted “BlueStreet.” It’s the correct answer, but the wrong case is used.
Do Security Questions Allow Numbers And Special Characters?
A lot of services allow security questions with numbers and special characters.
A security question is nothing more than another password, and if you feel the need to add numbers or specials, you can for many websites.
Ideally, you shouldn’t make the security question too complicated or too hard to remember. However, if you do have problems remembering security questions, we’ll have suggestions on what to do further down in this article.
Do Security Questions Have To Be Exact Or Truthful?
A security question’s answer should be clear and exact but doesn’t need to be truthful.
If the security question is “What is your mother’s maiden name,” and you use “PurpleFamingo,” as that is what comes to mind, then that is fine. The actual answer doesn’t need to be your mother’s real maiden name; if anything, it’s best you don’t use a factual answer.
Since it’s best to use fake answers for security questions, you may be wondering how you can remember all of them? Let me show that trick next.
How To Remember Security Questions?
The best way to remember security questions is not to remember them.
Instead, use a password manager to remember them for you. This way, you only need to remember one master password to the password manager.
If you don’t want to use a password manager you can always get a password book (Ad).
Password managers can be used for more than storing passwords. For example, security questions and other secret information can be stored in them.
You need to make sure you use a good master password; we show you how to do that here.
As for what password manager you use, it doesn’t matter; most of the top-recommended ones are fine. If you want a general recommendation for a free one, I suggest Bitwarden for most people.
If you don’t trust password managers or fear the “all your eggs in one basket” problem, then let me suggest peppering your important passwords. With peppering, even if someone got in your password manager, they would not know the full password. There is no good reason not to use a password manager these days, especially with all the things you can use it for.
Are Security Questions Stored In Plaintext?
It’s best to assume your security questions are stored in plaintext.
A few services will hash the security question in many variations, but it’s not as common.
Many services will not hash your security questions at all and will keep them in plaintext that any support staff can read. They do this to lower the chances of errors, as in case sensitivity and a user is mainly correct with the answer.
Because of this, you shouldn’t answer security questions truthfully and especially don’t use your common passwords as the answer either.
Even if the security question answers are hashed, they’re most likely not using the best hashing. Since security questions are often single-word answers, it’s not hard to guess the hash either. This is why it’s best to assume they’re not and why it’s important to use fake answers that you keep in your password manager.
Should Websites Stop Using Security Questions?
Ideally, websites should stop using security questions, but the reality is that they’ll be here for years to come.
Security questions work “good enough” for many users and services, so there will be no rush to eliminate them.
What we can do is live with this fact but also improve the security of security questions. We improve security questions by using a password manager to store random answers.
There is a right and a wrong way to pick security question answers, let’s go over that next.
How To Pick Good Security Question Answers?
I do see many people who get a password manager to store their security questions but pick the wrong answers.
They often pick random passwords like “bXgun+Pe=YfEKj*?>Sfd”.
While this is very secure, the problem is if you ever have to tell someone this security question over the phone you will have great difficulty.
Instead, I suggest using a passphrase generator in your password manager to create phrases. 3 random words from your password manager passphrase generator are acceptable.
Here are a few examples…
- entangled-huskiness-agreeable
- cornearelenting2
- jumble1900
I tend to make it into a game to make funny answers depending on the question.
So if the security question was “What high school did you go to” I might pick “repeated disaster high”.
Should You Avoid Security Questions?
If the service allows you to use something else besides security questions, then go for that something else.
If you’re forced to use security questions then I suggest you pick wrong answers that are created by your password manager. Then store those wrong answers neatly in your password manager for safekeeping.
Can Security Questions Be Hacked?
Security questions are just as safe as passwords and, in some situations, less secure if they’re not hashed.
Security questions should be treated like passwords that you may have to read out over the phone.
This means sticking with passphrases as answers and using a unique security question answer for every service. So if one service is breached, it won’t lead to other accounts being affected too.
The scary part is that security questions can be more important than the actual password for that account, as they can be used to reset your password. It’s one of the reasons why so many services are moving away from security questions and going with more secure options.