When you create an account on Internet sites, services or in local apps you are often asked to pick a security question and answer as a recovery option. It is basically a fail safe mechanism that gives you another option to restore your account if you have forgotten or misplaced your account password.
Windows users who select to password protect their account during creation also need to add so called password hints to the account which are used to aid them in the recovery. If you have local access to the PC, entering an incorrect password once displays the password hints that may help you recover the account.
So, if you enter the wrong password and get a hint that says “my favorite color” or “my wife’s middle name” you may be able to use the information to remember the password. But you should not do that. And the reason for that is simple. Trying out all popular colors as your account password, or finding out your wife’s middle name will help attackers greatly when they try to break into your user account.
via XKCD
Even if you select a very personal question, like the name of your first dog, the location you met your husband or the ID of your driver’s license, you give up valuable information that an attacker can use to eliminate passwords that do not need to be tested at all.
To make matters worse, security questions are often saved less securely than passwords on web servers or the operating system so that it is easier for attackers to get hold of them.
What you should do is select a password hint or answer to security questions that have nothing to do with the account password.
Whenever I have to fill out a security question, I pick a random one and use KeePass to generate a new password that I add as the answer. My favorite color would be 2xMq2xRG1DbmLVG6to, my driver’s ID jo45GmKveDoz1XPWcv and my mother’s maiden name eXT90ZMUp9afAx7kNU. I do save those information as a note in KeePass so that I have them available if the need arises. The reason why I’m selecting random characters as the password hint or answer to the security should be obvious: to not give away clues as to what my password may be so that attackers can’t exploit the information to gain access to the account.
You could obviously use a different system, maybe always use the same password hint like New York, Password, or even Haha instead which should not give anyone a clue to recover the password using the hints. And you can naturally use other password managers like LastPass for instance to generate those random strings.
How do you handle security questions?