Unlock Safety: The Smart Guide to Using Password Hints and Security Questions

When security questions and password hints are required for your accounts, you might not be filling them out wisely. To best protect your account security, you shouldn’t be truthful in these fields.

Understanding Password Hints vs. Security Questions

While these two account security features sound similar, they’re not the same.

Password hints are just that—a small tip to help you recall a password you’ve forgotten. These are available to anyone who can reach the prompt to enter your password, meaning they shouldn’t be too revealing. Depending on the service, your hint might only appear after you enter an incorrect password several times, or become visible by clicking a button on others.

While password hints aren’t as common as they used to be, some online services still use them. macOS includes a password hint option , similar to Windows 11 (although this applies only when using a local account).

Security questions, meanwhile, are a layer of security used as a form of two-step authentication, or to verify your identity when you get locked out of your account. When logging in on an unfamiliar browser or recovering your account, you might need to confirm the answer to one or several questions.

Initially, you might feel inclined to respond truthfully for both choices; however, this approach isn’t advisable from a security perspective. Regardless of whether you're compelled to fill out these sections or choose to do so voluntarily, there are more secure methods available for utilizing these areas.

Utilize Random Passphrases for Security Queries

The issues related to security questions are thoroughly documented. Since these questions often inquire about readily accessible data, it becomes simple for individuals with harmful intentions to obtain the answers.

The details about your mother’s birth surname, her preferred hue, and the road where you spent your childhood years can often be uncovered through some digging into social media profiles and publicly available documents. Moreover, certain security queries come with a restricted set of potential responses; for example, there are merely a handful of favored colors people might choose from.

Therefore, the most effective approach when using security questions is to provide fictitious responses. However, avoid giving an incorrect answer that could still logically fit and hence be easily guessed. Rather, consider each security question as an additional password input and opt for a randomly generated passphrase that is exceedingly difficult to predict.

For instance, instead of fabricating that your mother’s maiden name is "Griswold," you might respond with "Gratifying Lambasted Narwhals." This response has nothing to do with the query yet is exceptionally difficult to guess. Additionally, it remains easy for you to recall—a crucial aspect. benefits passphrases offer over passwords .

Some companies will have you answer your security questions for verification when you call. Avoid using symbols and phrases you can’t easily pronounce to avoid an awkward situation on the phone.

Keeping Your Security Question Answers Safe

Preferably, you ought to keep these fabricated responses in a password manager to avoid memorizing them. Utilizing a password manager is crucial for your cybersecurity from multiple angles, such as this one. Should you not have strengthened your passwords for better security If you haven’t used a password manager yet, this is the most beneficial action you can take.

Based on your password manager, there could be a particular feature for handling security questions. If this isn’t available, utilize the Notes area designated for that website (this feature is provided by all password managers). When you sign in, you simply need to copy and paste your passcodes.

Ensure you mark which responses correspond to each question, as secure security answer questions lack any inherent context!

Create Password Clues That Are Significant Only to You

Password clues should not make it easy for someone to figure out your password. The simplest approach to ensure this is to utilize a password manager for all your passwords and simply set your clue to read “password manager.”

By committing a robust master password to memory for your password manager, you won't need to be concerned about remembering other passwords' hints. Avoid mentioning the specific password manager you utilize, since doing so narrows down the list of applications an unauthorized user might attempt to crack using your email address.

If you aren’t using a password manager for some reason, password hints are trickier to use safely. Generally, if your password is simple enough that you can describe it with a hint (such as “childhood school plus dog name”), then it’s too weak.

A better setup is to use a passphrase pattern that has non-obvious meaning. You might choose every second word of a song, the middle five words of a quote, or similar—the more obscure, the better. Then your password hint could be something like “best quote” to spark your mind without giving it away.

For the most important passwords, like your password manager’s master password, you could consider a physical backup copy. Then the hint can provide a clue to where it’s safe at home (“in the middle of the last book you read”, for example).

Should You Use Either Option?

The aforementioned guidance is helpful for accounts that require you to use security questions or a password hint. However, whenever feasible, you ought to opt out of these features or disable them altogether. Each alternate two-factor authentication technique is better. For security questions, it’s far more advisable to use an authentication app.

It can be beneficial to review your accounts and disable security questions if possible, or update your responses to strengthen them. This step is particularly important for older accounts, which are often set up with less secure options like security questions.

A particularly unpleasant scenario involves security questions when you're restricted to using a dropdown menu (United Airlines exemplifies this issue). In such cases, honesty isn’t always the best policy. Instead, choose questions for which only you possess the answers, avoiding ones that can be readily addressed with publicly available information.

Examining United’s security queries, for instance: preferring a query about your favorite sea creature over one regarding the month your best friend was born makes sense, particularly when fabricating an answer. With merely twelve months available versus numerous types of marine life—and considering you're less prone to publicly share details like this—the former option proves more secure.

All aspects of authentication become more robust when they involve randomness. This applies equally to security questions and password hints. If these elements are mandatory, create unpredictable responses that you can securely save using a password management tool. Furthermore, whenever possible, disable these features and opt instead for a more secure two-factor authentication technique.