Best Practices with Security Questions

Continuing with our theme of best practices for identity theft protection and building on last week’s post of strong passwords, this week we highlight those security questions. This post too is adapted from a recent post on OnGuard On Line by Whitney Merrill Legal Fellow, Division of Privacy and Identity Theft Protection, FTC.

If you forget your password or sometimes just as additional security, many companies require you to answer security questions to regain access. Here are some tips to make sure an attacker can’t use your security questions as a way to get into your account:

  • Select security questions where only you know the answer. Many security questions ask for answers to information available in public records or online, like your zip code, mother’s maiden name, birth place. That is information a motivated attacker can obtain.
  • Don’t use answers to security questions that can be guessed. An attacker can guess the answer to a security question that has a limited number of responses (dates, colors, states, countries). Avoid questions like “What state were you born in?” or “What color was your first car?” which allow an attacker to guess all possible answers.
  • Don’t give a generic answer to a security question. Find an answer to a security question that you will remember but is also more complicated than a generic word. For example, if the security question asks “What is your favorite childhood memory?” the answer “watching the Dodgers with my mom” is more secure than “baseball.”

For more on best practices when it comes to identity theft protection, please visit

by HV Shred