A Better Approach to Password Reset Questions

Remem­ber when Sarah Palin’s email account was hacked in late 2008? Here’s what Wired said about it:

…the Palin hack didn’t require any real skill. Instead, the hack­er sim­ply reset Palin’s pass­word using her birth­date, ZIP code and infor­ma­tion about where she met her spouse — the secu­ri­ty ques­tion on her Yahoo account, which was answered (Wasil­la High) by a sim­ple Google search.

It’s far too easy to lose con­trol of your accounts due to weak answers to “secu­ri­ty ques­tions”. In a recent study, 17% of the par­tic­i­pants were able to guess answers to the “secret ques­tions” of peo­ple they knew noth­ing about.


Here’s how I respond to these ques­tions now. Pass­word resets are typ­i­cal­ly han­dled auto­mat­i­cal­ly via email or by talk­ing with a per­son over the phone. So set up a strong sys­tem that will work well in either case.

First, get 1Password (or a sim­i­lar pass­word man­ag­er) to secure­ly store and retrieve the ques­tions and your answers. This elim­i­nates the need to use eas­i­ly remem­bered (and eas­i­ly guessed) answers about your­self. For each entry in your pass­word data­base, just put the ques­tions and answers the Notes field (or use cus­tom fields):


Next, cre­ate an email account just for sup­port­ing pass­word resets. This will great­ly reduce the risk of some­one reset­ting your pass­word and inter­cept­ing the tem­po­rary new one. Here are some tips:

  1. Make sure the user name is not obvi­ous­ly con­nect­ed to you but is easy to say over the phone in case you ever have to do that. Exam­ple: xa939@yahoo.com
  2. Chose a free email provider dif­fer­ent from what­ev­er you use now. Wikipedia has a con­cise list of providers you can browse.
  3. Beware: Many email providers will dis­able and delete your account if there is no use after as lit­tle as 30 days. Set a reminder on your cal­en­dar to login 3 or 4 times per year.

Final tips:

  1. Make the answers eas­i­ly pro­nounce­able so you don’t con­fuse the poor cus­tomer ser­vice rep. Avoid using words that are dif­fi­cult to spell.
  2. When choos­ing answers, try to be as ran­dom as prac­ti­cal. You can use a word gen­er­a­tor to choose from sev­er­al thou­sand words.
  3. For great­est effi­cien­cy, use words that are easy to say clear­ly over the phone. I like the Pret­ty Good Pri­va­cy (PGP) word list.

Don’t for­get to change the ques­tions at web sites where you’ve already answered! Next week, I’ll cov­er Google Authen­ti­ca­tor.

Ques­tions for you: Can you see your­self using stronger answers to pass­word reset ques­tions? Why not?

Please note: I reserve the right to delete comments that are offensive or off-topic.