How to make security questions more secure

When you create a password, you might write it down, store it in a password manager or memorise it. Sometimes, however, things go wrong: you find yourself without access to your password manager, you lose the paper on which you recorded your passwords, you forget a password you thought you’d memorised, or you remember it incorrectly too many times and get locked out of the account. 

In such cases, online services need a secondary way of granting you access to your account or your data. Sometimes, the provider lets you click a link to have your existing password, a new password or password-reset instructions sent to the email address you have on file. But if those mechanisms seem too insecure, the site may ask you to respond to some questions for which you’ve previously provided the answers.

Unfortunately, password-reset messages and verification questions come with their own problems and risks. You can reduce your chances of being hacked – or of being unable to respond correctly to one of these questions – with these tips.

Prevent Password-Reset Mischief

Of all your passwords, the one for your email account may be the most valuable. That’s because whoever has access to your email account can read and click links included in any password-reset messages you receive (such as when you click an ‘I Forgot My Password’ link). A hacker who has guessed or stolen just that one password can unlock many of your other accounts and do all sorts of damage. You can, however, limit your risk here in a couple of ways.

Set Up a Dedicated Password-Reset Account Consider setting up a new email account for yourself (using a free service such as Gmail) with an address that you’ll never share or post publicly. Use this account only when you’re prompted to supply an email address for the purpose of verifying or resetting a password. That way, even if someone hacks your main email account, your other accounts will be safe.

Take Extra Care With Your Email Account Password Choose an especially secure password for your email account. Set your email client to communicate securely with the mail server – using Secure Sockets Layer (SSL) protocols for example – so your password never travels over the air unencrypted. In Apple’s Mail, select Mail → Preferences, click Accounts, choose an email account from the list, and click Advanced. There you’ll see the option Use SSL.

Change the security questions and answers for your Apple ID to make your account as secure as possible.

Question the Questions

Security questions are supposed to have answers that you’ll remember, but that most other people won’t be able to guess. Unfortunately, most of the questions you’ll see aren’t secure at all.

Your mother’s maiden name, for example, is a matter of public record; and if you ever wrote a Facebook post about your first pet, that’s in the public domain, too. Some questions could have multiple answers. Where did you meet your partner? It could be either in London or at Wembley Stadium

Devise Memorable Lies To address such problems, lie. And don’t just lie, but come up with one or more answers that follow the same rules as other passwords, to prevent guessability; use either a reasonably long (but memorable) phrase or a series of random characters. So, what was the name of my first pet? Why, it was bookends-qualitative. My mother’s maiden name? Her dad was Mr. E27jrdU!8. It doesn’t matter what answers you give, as long as you and only you know what they are.

One security expert uses the same pseudo-random answer everywhere, although some companies require you to give different answers to each of several questions – meaning you have even more password-like data to keep track of. Of course, you can write down your answers or store them in a password manager, but then the same problems that stop you from accessing your password could stop you from accessing your security answers.

You might make up a little story for yourself about fictional parents, cars and pets that you can then draw on when asked for security answers on different sites. 

Keep Answers Phone-Friendly Remember you could wind up in a situation where you have to supply these answers over the phone. Both you and the person on the other end will have an easier time coping with a series of words than random characters.

Update Your Apple Info To change the questions or answers for an Apple ID (which you use for iCloud, for example), go to the Apple ID page (appleid.apple.com), click Manage your Apple ID, enter your username and password, and click Sign in. On the left, choose Password and Security. Answer your existing security questions, and click Continue. Then you can choose new questions and answers. Click Save.

Update Your Google Info If you have a Google account, log in as you normally would. Click the gear icon located in the upper-right corner of the window and choose Settings from the pop-up menu. Click Accounts and Import, followed by Change password recovery options. Under Security question, click Edit. Choose one of the existing questions or write your own, and fill in your answer. If you also want to change your secondary address, click the Edit link in the ‘Recovery email address’ section and fill in the new address. Then click Save.

What you don't know about passwords

How to remember passwords

Managing passwords with keychain access

How to make security questions more secure

Joe Kissell is a senior contributor for Macworld; he’s also the senior editor of TidBits