Security questions: Examples, risks, and safer alternatives

Security questions are a type of knowledge-based authentication that asks you to verify your identity by answering personal questions, like your mother’s maiden name or your favorite movie. They’re commonly used for password reset and account-recovery processes, but they come with security risks.

This guide explains how to use security questions more effectively and explores stronger alternatives — like multi-factor authentication (MFA), which can better protect your accounts.

How to choose the best security questions

Your security question answers should be private, memorable, and consistent over time. Choose questions with multiple possible answers that aren’t publicly available, and ensure your responses are easy for you to recall without risking being forgotten.

To maximize privacy, consider using an incorrect or misspelled answer to a security question. That way, even if the answer is obvious to others, it’ll be harder to guess the required answer. Of course, this only works if you trust your ability to remember the misspelled answer.

There are two types of security questions:

• User-defined: The user creates their own security question.
• System-defined: The system provides a preset list of security questions to choose from.

Both options can be used, but system-defined questions are generally considered safer, as they reduce the risk of overly predictable choices. Some organizations only allow system-generated questions for this reason.

Examples of bad security questions

Poor security questions have answers that are easy to find or guess. They may also rely on information that changes over time — like “What is your favorite movie?” — or be difficult to remember, making them unreliable for account protection.

Here’s a list of security questions to avoid:

• What’s your mother’s maiden name? Easily found in public records or on social media.
• What’s your favorite TV show? Likely to change over time.
• What high school did you attend? May appear on social media, be inferred from others’ profiles, or be listed on data broker sites.
• What is your birth month? Limited to 12 options and often publicly available.

Many of these weak security questions rely on answers that cybercriminals can easily find through data brokers, social media, or basic research. Others are hard to remember, making them ineffective and unreliable for account security.

Examples of better security questions

Good security questions use personal criteria that are not publicly discoverable, have answers that remain unchanged over time, and could have many possible answers.

Here are a few examples of good security questions:

• What city did your grandparents meet in? Personal and not easily discoverable.
• What was the first concert you attended? Unique, unchanging, and unlikely to be public.
• What was the name of your childhood best friend? Typically private, stable over time, and memorable.
• What was the make and model of your first car? A fixed detail that’s unlikely to be public and easy to recall.

However, while these security questions are relatively strong, they can be figured out with enough sleuthing. To reduce that risk, consider using intentional misspellings or unrelated answers, or seek out stronger cybersecurity measures to protect your accounts.

Are security questions safe?

Even the strongest security questions aren’t a fail-safe account protection method. That’s because they’re still vulnerable to several common attack methods, including:

• Social engineering: Attackers can use social engineering tactics to trick you into revealing answers through fake calls or messages.
• Phishing: Fraudulent phishing emails or password reset pages can capture your answers when you try to “verify” your identity.
• Brute force attacks: Limited answer pools make it easier for hackers to use brute force attacks to compromise your account.
• Data breaches: If a data breach exposes your security question answer for one account, reused answers can expose others.

Because of these risks, security questions shouldn’t be your only line of defense. Many companies are moving away from them. Google, for example, has largely replaced traditional security questions with recovery options like phone verification, email, and device-based prompts.

Microsoft allows security questions for local accounts, but only for password resets — not as a two-factor authentication method.

Best practices when you have to use security questions

When you have to use security questions, take steps to make them more resilient. Focus on answers that aren’t easily guessed, avoid weak self-written questions, and consider using intentionally incorrect or randomized responses.

Here are some security question best practices:

• Avoid guessable answers: Choose responses that others can’t easily infer — even people who know you.
• Review and update regularly: Review and update your security questions, especially after a known data leak or breach.
• Use caution with custom questions: Much like choosing strong passwords, self-written questions can seem stronger but often lead to predictable answers.
• Provide fake answers: Use unrelated or invented responses to prevent attackers from finding them in public records.
• Use a password manager: Store security answers securely with a password manager and consider generating random strings instead of real answers.
• Add a secret word: Append a unique word to your answer to make it harder to guess.

Stronger alternatives to security questions

When you have a choice, opt for stronger alternatives to security questions. Options like multi-factor authentication (MFA), biometrics, and identity and access management (IAM) tools offer more reliable protection.

• MFA: Requires additional factors, such as an authentication app, making unauthorized account access significantly harder.
• Biometrics: Fingerprints, facial recognition, and other biometrics are more secure than knowledge-based methods, though not immune to spoofing.
• One-time passcodes (OTPs): Single-use codes limit reuse, but app-based authenticators are generally safer than SMS due to risks like SIM swapping.
• IAM tools: Used mainly within organizations, these systems restrict access based on user roles, helping protect sensitive data.

Keep your online accounts secure

If security questions are still your last line of defense, it’s time to upgrade your approach. Norton 360 helps protect your data with a password manager, a secure VPN, and advanced malware protection that can defend against threats like spyware, keyloggers, and sophisticated phishing attacks.

FAQs

Should you store answers to security questions elsewhere?

Yes, if you have to use security questions, store the answers in a reputable password manager. This protects them from unauthorized access and is more reliable than relying on memory alone.

Can you recover your Google account with security questions?

No. Google has phased out security questions for account recovery in favor of stronger methods, such as recovery email addresses, phone numbers, and device-based verification.

Can you recover your Microsoft account with security questions?

In some cases, Microsoft still allows the use of security questions for local account password resets, but other verification requires stronger authentication methods.

Can you recover your Apple account with security questions?

Usually not. In most cases, Apple accounts now rely on more secure options like two-factor authentication rather than security questions.

Should small businesses use security questions for their website?

Small businesses might consider security questions as a secondary option, but they should be paired with stronger protections like 2FA or OTPs, as they aren’t sufficient on their own.