Best Practices for Choosing Account Recovery Questions

— Written By Mike Vysocka
en Español

El inglés es el idioma de control de esta página. En la medida en que haya algún conflicto entre la traducción al inglés y la traducción, el inglés prevalece.

Al hacer clic en el enlace de traducción se activa un servicio de traducción gratuito para convertir la página al español. Al igual que con cualquier traducción por Internet, la conversión no es sensible al contexto y puede que no traduzca el texto en su significado original. NC State Extension no garantiza la exactitud del texto traducido. Por favor, tenga en cuenta que algunas aplicaciones y/o servicios pueden no funcionar como se espera cuando se traducen.

English is the controlling language of this page. To the extent there is any conflict between the English text and the translation, English controls.

Clicking on the translation link activates a free translation service to convert the page to Spanish. As with any Internet translation, the conversion is not context-sensitive and may not translate the text to its original meaning. NC State Extension does not guarantee the accuracy of the translated text. Please note that some applications and/or services may not function as expected when translated.

Collapse ▲

For the majority of your online accounts, you can recover a forgotten password with a simple click of a button. Oftentimes a new password (or link to create one) will be emailed to you within seconds. This is extremely convenient when you’ve forgotten your login credentials. However, it’s also extremely convenient for anyone who’s already gained access to your computer, phone or email and wants to change your password to something only they know (but don’t know the current password). Because of this vulnerability, many online organizations are beginning to harden the process users must go through to recover access to their accounts. One of the more common approaches to making the account recovery process more secure is to add an intermediate layer of questions, often referred to as “Account Recovery Questions” or “Secret Questions” (which are chosen or created by the user ahead of time) to prevent a would-be attacker from simply using a button to reset your account’s password.

Not all questions are as safe as they seem

Many organizations will offer a pre-selected set of questions for you to choose from (and provide answers for), such as:

  1. What’s your mother’s maiden name?
  2. What street did you grow up on?
  3. What high school did you go to?
  4. What’s your favorite NFL team?
  5. What was my first car?

The best account recovery protocols will actually let you write your own questions, but in instances such as these where you are presented with a list, you should always ask yourself, which questions would someone be able to guess easily or look-up about me? The fourth question, for instance, is extremely poor. There are only 32 teams in the NFL, and thus only 32 possible answers. A quick search on LinkedIn, Facebook, or Google search may reveal the city/state you currently reside in, and hence narrow the likely guesses for your favorite NFL team down to a few local choices. Even the second question, “What street did you grow up on?” could be easily guessed/narrowed or obtained from a simple real estate records search (real estate records are public records). Many DMV/property tax records are online too, so even “What was my first car?” may not be safe.

Avoid using questions that can be answered with a number

Questions that begin with “How many times … ” or “What year did you …” or “How old were you when … ” are always answered with a specific number, and many of those numbers have logical or rational ranges associated with them (especially “What year did you graduate high school?” – just knowing your age would give me a good guess), so you should avoid using number-driven questions at all costs.

What makes a good account recovery question?

Ideally you want to write (or choose) a question that nobody else would ever be able to find the answer to in a Google search, public records search, in a picture online, or on any of your social media accounts. It should be something you’re unlikely to forget and something that could take an infinite number of guesses to get right (i.e. “What’s my favorite color?” … doesn’t have an infinite amount choices for an attacker to guess).

Examples of good account recovery questions?

  • What’s the name of your grandma’s cat? (Unless, of course, your grandma has created an Instagram account for the cat and posts pictures of it daily)
  • What’s the first book you read?
  • What’s your best friend’s middle name? (Middle names are much harder to find, and they would also need some insight as to who you consider your best friend)
  • What was the last name of your least favorite college professor?
  • My high school track coach nicknamed me ________ ?

In early March 2017, NC State will be upgrading it’s Identity Management system and you will have the ability to write your own account recovery questions and answers to help protect your account. You can actually set them up right now (using the link below), but you’ll have to re-do them after the upgrade, so it may just be best to wait.

Set up your NC State Account Recovery Questions: