Best Practices for Choosing Account Recovery Questions

— Written By

For the majority of your online accounts, you can recover a forgotten password with a simple click of a button. Oftentimes a new password (or link to create one) will be emailed to you within seconds. This is extremely convenient when you’ve forgotten your login credentials. However, it’s also extremely convenient for anyone who’s already gained access to your computer, phone or email and wants to change your password to something only they know (but don’t know the current password). Because of this vulnerability, many online organizations are beginning to harden the process users must go through to recover access to their accounts. One of the more common approaches to making the account recovery process more secure is to add an intermediate layer of questions, often referred to as “Account Recovery Questions” or “Secret Questions” (which are chosen or created by the user ahead of time) to prevent a would-be attacker from simply using a button to reset your account’s password.

Not all questions are as safe as they seem

Many organizations will offer a pre-selected set of questions for you to choose from (and provide answers for), such as:

  1. What’s your mother’s maiden name?
  2. What street did you grow up on?
  3. What high school did you go to?
  4. What’s your favorite NFL team?
  5. What was my first car?

The best account recovery protocols will actually let you write your own questions, but in instances such as these where you are presented with a list, you should always ask yourself, which questions would someone be able to guess easily or look-up about me? The fourth question, for instance, is extremely poor. There are only 32 teams in the NFL, and thus only 32 possible answers. A quick search on LinkedIn, Facebook, or Google search may reveal the city/state you currently reside in, and hence narrow the likely guesses for your favorite NFL team down to a few local choices. Even the second question, “What street did you grow up on?” could be easily guessed/narrowed or obtained from a simple real estate records search (real estate records are public records). Many DMV/property tax records are online too, so even “What was my first car?” may not be safe.

Avoid using questions that can be answered with a number

Questions that begin with “How many times … ” or “What year did you …” or “How old were you when … ” are always answered with a specific number, and many of those numbers have logical or rational ranges associated with them (especially “What year did you graduate high school?” – just knowing your age would give me a good guess), so you should avoid using number-driven questions at all costs.

What makes a good account recovery question?

Ideally you want to write (or choose) a question that nobody else would ever be able to find the answer to in a Google search, public records search, in a picture online, or on any of your social media accounts. It should be something you’re unlikely to forget and something that could take an infinite number of guesses to get right (i.e. “What’s my favorite color?” … doesn’t have an infinite amount choices for an attacker to guess).

Examples of good account recovery questions?

  • What’s the name of your grandma’s cat? (Unless, of course, your grandma has created an Instagram account for the cat and posts pictures of it daily)
  • What’s the first book you read?
  • What’s your best friend’s middle name? (Middle names are much harder to find, and they would also need some insight as to who you consider your best friend)
  • What was the last name of your least favorite college professor?
  • My high school track coach nicknamed me ________ ?

In early March 2017, NC State will be upgrading it’s Identity Management system and you will have the ability to write your own account recovery questions and answers to help protect your account. You can actually set them up right now (using the link below), but you’ll have to re-do them after the upgrade, so it may just be best to wait.

Set up your NC State Account Recovery Questions: