How to choose a security question

Tips & tricks
5 mins
A person with question marks above his head.

You’ve probably been asked by online sites and services to add a security question to keep your online accounts safe. The choices are typically along the lines of “What street did you live on in the first grade?” or “What was your first home phone number?”

These days, there’s no shortage of sophisticated methods for authenticating your identity, including biometrics and USB security keys. However, security questions—an early, traditional method—are still around, whether they’re offered as an optional or compulsory layer of security. Gmail and numerous other popular services feature security questions as part of their account security.

Are security questions safe?

Security questions usually serve as one of several authentication methods; services and sites would not use this as the only method for accessing your account.

For example, a service might use a security question as the first layer of security, followed by a one-time code generated by an authenticator app on your phone.

Another instance where security questions are often used is to verify your identity before sending a link to your email to reset a forgotten password. Many sites simply send you the email without any verification, so the security question acts as an extra safeguard to the process.

On their own, security questions are not the safest authentication methods, because the answers are relatively easy to guess, when compared with a randomized, meaningless password. But security questions are rarely used on their own—and this makes them safe.

Should you set a security question?

Yes. Because an optional security question is used in combination with other authentication methods, you should opt to add it into the mix. This will only strengthen the security of your account.

There are ways to set a strong security question. This usually means one that has an answer memorable to you, so it should be real and won’t change over time—while also being unknowable to almost anyone else in the world.

That said, some security experts would argue that in our modern world, very few details about an individual are unknowable. Therefore, they recommend using security questions as a second password.

By creating an answer to your security question that’s impossible to guess because it’s not true and even random, you’d be keeping your account extremely safe—but at the risk of keeping yourself out, too, if you forget the answer.

Tips for choosing security questions

Avoid researchable or guessable security questions

Security questions are usually personal details about you. However, if you pick the ones that are easy to guess, you run the risk of someone you know—or even strangers—figuring out the answers through your social media profiles.

Some examples of security questions that many people might know the answer to:

  • When’s your birthday?
  • What’s your mother’s name?
  • Where did you attend high school?

Customize your own security questions

If you have the option to create your own security questions, do so. Try to make them as tricky as possible by using an obscure and unusual personal detail. Let’s say you live in the U.S. but the first time you ever went fishing was in Thailand’s Ko Panyi village on a solo trip. “In what town did you go fishing for the first time?” would be a good question, unless you’ve posted about your trip on social media.

Use your security question more as a password

You might want to use your security question as a second password. There are a few ways to do this.

Add symbols and numbers to your answer. You can create a happy medium between an answer that is meaningful to you while also being hard to guess because of strange letters, numbers, and symbols inserted into the answer. Take a question above as an example; here’s how your answer could look:

Question: In what town did you go fishing for the first time?
Answer: K0 P@ny1 (Ko Panyi)

Use fake answers. Not telling the truth is sometimes vital for security. If you use false answers in your security questions, no amount of research will help hackers. The key is to remember your false answers by storing them somewhere safe.

Use a completely meaningless answer. Similar to a complex password, this will create the safest security question, but it will also be very difficult for you to remember.

Use different security questions and answers for different logins

Just as you shouldn’t use the same password twice, you shouldn’t use the same security question or answer repeatedly. As data breaches are increasingly common, hackers who get a hold of the security questions and answers that you used for one of your accounts will likely try them on your other accounts.

Best security questions (examples)

If you want to use a security question where the answer is real and memorable to you but still hard for other people to know, here are a few to consider. Choose one where the answer is obscure.

  • What is your oldest cousin’s middle name? (Don’t use this one if you and your cousin are very close and have plenty of mutual friends.)
  • In what city did your parents meet? (A question like this is good because it requires two layers of knowledge—who your parents are, followed by where they met.)
  • What was the last name of your third grade teacher? (This one is good because it goes so far back even people who were in your class might not remember.)
  • What is the name of a college you applied to but didn’t attend? (Or similar—best to ask a question where there is only one answer.)
  • Who was your first kiss? (A good one if the person is completely out of your life.)

Other ways to make your accounts more secure

Security questions have long been a measure of account protection, but they have had their day. While some websites or services still make security questions compulsory, they shouldn’t be your main line of defense for your account security.

Here are other ways to safeguard your online accounts:

  1. Use unique, strong passwords for all your accounts. Use a password manager to store all your logins.
  2. Add other account recovery options, such as your phone number or email address.
  3. Turn on 2-step authentication.
  4. Avoid phishing scams, which manipulate you into giving up your personal information.