A Word About “Security Questions”

Be aware of the “security questions” (such as “What is your mother’s maiden name?” or "What was your first pet's name?") that websites use to confirm your identity if you do forget your password. Honest answers to many security questions are publicly discoverable facts that a determined adversary can easily find, and therefore bypass your password entirely. For instance, US vice-presidential candidate Sarah Palin had her Yahoo! account hacked this way. Instead, give fictional answers that, like your password, no one knows but you. For example, if the password question asks you your pet’s name, you may have posted photos to photo sharing sites with captions such as “Here is a photo of my cute cat, Spot!” Instead of using “Spot” as your password recovery answer, you might choose “Rumplestiltskin.” Do not use the same passwords or security question answers for multiple accounts on different websites or services. You should store your fictional answers in your password safe, too.

Think of sites where you’ve used security questions. Consider checking your settings and changing your responses.

You can usually reset your passwords by asking services to send you a password recovery email to your registered email address. For that reason, you may want to memorize the passphrase to this email account also. If you do that, then you will have a way of resetting passwords without depending on your password safe.