How to Make Your IT Security Questions Safer

January 5, 2024 • Zachary Amos


Many websites and apps require setting up IT security questions while creating new accounts. The idea is if you lose your password, answering them gives you another way to prove your identity. However, these questions are less inherently safe than you might think. Fortunately, you can make them more effective parts of your cybersecurity strategy. 

What Are IT Security Questions?

IT security questions are the prompts you must answer as part of the identity verification process. Sometimes, they pop up after you enter a password. Alternatively, sites may require you to answer them if you forget the password or want to make a major change to the account, such as changing the email address or associated password. 

When they work well, IT security questions provide an extra defensive layer to keep hackers out of your account. However, several shortcomings reduce the protection they provide. However, making proactive choices can increase their usefulness.

Ignore Social Media Quizzes 

Social media quizzes may seem like harmless ways to learn more about the people you follow. However, your answers could give hackers the details they need to answer your security questions. Some social media quizzes also contain embedded links that could add malware to your system. 

Don’t assume your answers will stay within a respective social media platform. Someone could copy your answers and sell them to third parties that want to use your data for marketing purposes. 

When people use social media quizzes maliciously, they hope participants will get so caught up in the entertainment factor that they won’t consider the potential privacy risks. However, the safest thing to do is realize you never know who will see your answers and what they’ll do with the information. 

Choose Answers Carefully 

The people who set IT security questions for others to answer should follow best practices by making the options have certain characteristics. An ideal security question should be: 

Memorable: Something you can recall years after setting up the account

Consistent: An answer that will stay the same

Applicable: Requesting information you can quickly answer

Confidential: An answer others can’t easily guess or learn

Specific: A question with one clear answer

User-defined IT security questions are those where you choose the desired ones from a list, and then type your answer into the provided field. However, some sites use system-defined security questions based on information a company already has about a user. Since the second type requires storing lots of personal data, user-defined security questions are more common. 

Use the best practice characteristics above to decide how and what you answer. Also, consider how variations in your answer could cause the system to recognize your answer as wrong, even if it’s right. 

Imagine a scenario where you set up a security question that asks the street on which you grew up, and you answered “Applebrook Rd.” the first time. If you spell out “road” rather than abbreviate it in your future responses, the system probably won’t approve your access requests. 

A similar problem could arise if the security question asks you to name your first car. Is the correct answer “2001 Honda Civic,” “Honda,” “Civic,” or “Honda Civic?” Luckily, many sites asking for IT security questions also allow adding text-based hints that’ll appear if you need a clue. In this example, you could type “Manufacturer and model, but not year” or something similar. 

Consider Not Answering the Questions Truthfully

The most powerful security strategies are layered ones. That’s why you should activate options like two-factor authentication while setting up security questions. Then, hackers need more than your answers and password to access your accounts. 

However, another thing to consider is that you don’t need to provide the right answers to your chosen security questions. If the correct answer to the city where you were born is “Charlottesville,” you could answer “coffee cup” instead. 

After all, no one’s checking the accuracy of whatever answers you give when setting up the security questions. The main benefit of this approach is that it keeps your account protected, even if the answers come out via social media quizzes or elsewhere. 

An even stronger safeguard is to answer your security questions with strings of letters and numbers rather than the correct responses. The main downside is this method provides the equivalent of additional passwords you must remember. 

However, one possibility to make things easier is a password manager. Many have features that allow you to import notes. Password managers are not foolproof, but they provide much tighter security than an alternative such as writing the question answers on a sticky note. 

Go Beyond the Typical Answer Formats or Languages

You can also make IT security questions much harder to guess by answering them unexpectedly. Perhaps you’ve set one up about your pet’s name, which is Mollie. Responding with “M0l1i3” goes beyond the format hackers would think you’d use. 

Do you know any foreign languages? Put that knowledge to good use by incorporating it into your answer. It’s even better if you speak an uncommon language or can use multiple ones in your security question answer.  

Another possibility is to use a mixture of lower and uppercase letters in your answer. However, rather than alternating them — as your first instinct might suggest — be more random and creative with the combination. The goal is to make things harder for hackers, even if they know your security question’s answer. 

Keep Your IT Security Questions Strong

Many security professionals have advocated for doing away with IT security questions, pointing out their numerous issues. However, since sites still frequently require them, the next best thing is to apply these tips to increase the protection they offer. 

If anything happens that provides someone else with your answers, take quick action by changing the questions associated with your account. Data gets leaked and misused so often today that you can never be too careful as an internet user. 

Besides trying the suggestions here, go back to basics by always setting strong and unique passwords for every site or app requiring them. A related best practice is to make them long, as the likelihood of them getting compromised goes down as the length increases.

People use passwords for everything from logging into a social media account to accessing a government portal. Their widespread use makes passwords lucrative targets for hackers. Although IT security questions add protection, your thoughtful decisions can make them even better at thwarting hackers.