SECURITYMay 5, 2025·6 min read

The Problem With Security Questions (And What to Use Instead)

Security questions are guessable, publicly available, and often findable on social media. Here is why they fail and what replaces them.

Why security questions were always a bad idea

Security questions were designed to answer the question: "How do we verify a user's identity when they've forgotten their password, without having them prove identity in person?" The answer — ask them something only they would know — worked reasonably well in a world before social media, data aggregation, and large-scale phishing. It doesn't work now.

What attackers can easily find

The most common security question categories — mother's maiden name, first pet, childhood school, first car, favourite sports team — are all answerable from publicly available sources for most people:

  • Mother's maiden name: LinkedIn, genealogy sites, Facebook posts
  • First pet: Instagram photos from 2010, Twitter posts, Facebook memories
  • First school: LinkedIn education section
  • Favourite sports team: every social media bio ever
  • First car: Facebook posts, Reddit nostalgia threads

A targeted attacker can answer most security questions for a specific person in under 10 minutes of social media research. Untargeted phishing campaigns simply ask users to confirm their "security verification information" and record whatever they type.

The 2008 Sarah Palin hack: an early lesson

In 2008, David Kernell reset Sarah Palin's Yahoo email account by answering security questions using publicly available information — her birthdate, zip code, and where she met her spouse. He didn't need her password. The technique hasn't changed; only the availability of source information has increased.

What to do instead

For sites that require security question answers: Treat the answer as a password. Use a random string generated by PassGeni as your "answer" and store it in your password manager. "Mother's maiden name: xK7#mPqR9wBv". The site doesn't verify whether it's a real maiden name.

For account recovery: Use backup email or authenticator app recovery codes where available. Both are meaningfully more secure than security questions. Store backup codes in your password manager immediately when you generate them.

For organisations: Remove security questions from your authentication flow entirely. Use email-based password reset with 2FA-protected recovery email, or identity verification with physical ID for high-value accounts.

Key topics
security questionsaccount recoveryknowledge-based authenticationKBAaccount recovery alternatives
Was this post useful?
Frequently asked questions

Questions about this topic

Why are security questions considered insecure?

+

If I have to use security questions, what should I answer?

+

What should replace security questions for account recovery?

+
More posts

Related reading

Passkeys vs Passwords in 2025: Is the Password Era Actually Over?

7 min read →

Dictionary Attack vs Brute Force: What's the Difference?

6 min read →

Password Security for Remote Work in 2025: The Threat Landscape Has Changed

9 min read →