Why are security questions still a thing?

The motivation to provide an additional layer of security beyond an email-password combination is a noble one, but ...

The motivation to provide an additional layer of security beyond an email-password combination is a noble one. As annoying as it may be to a user, these layers of security exist to protect us.

Yet, more often than not, the vehicle for delivering this theoretical layer of security is a series of security questions. While this second layer of security is beneficial, implementing it via security questions doesn't make any sense.


The answers are not always private. We live in an age where our younger generation's entire lives are catalogued on the internet. So, things like Your mother's maiden name? or The make and model of your first car? or Your first pet's name? or The last name of your third grade teacher? That information is becoming essentially public.

The answers are usually short. A pet name, a human name, the make and model of a car. These are (usually) short words. Short words are easy to guess. Short passwords are not good.

The answers are limited. Similarly, in thinking about entropy, the answers to these questions are limited. Brute force attacks can happen so much faster because the number of possible answers is so limited to one particular category.

The answers are difficult to remember. What street did you grow up on? Let's say it's, "Martin Luther King, Jr., Ave." Hmmm ... I don't like writing all that, so sometimes it's MLK Jr. Ave., but recently I haven't been using periods. Oh, and there was that one stretch in my life when I chose to abbreviate avenue as AV. In other words, the answers aren't easy to remember even when you know the answer.

The answers are meant to be memorized. We now have these awesome tools like LastPass and 1Password that can generate and store passwords for us. And while they could be used to store security answers, they aren't really built for it and don't make it super easy. But isn't that the thing with security questions, you're supposed to know the answer! The great thing about tools like LastPass and 1Password is that you don't have to know the password. Instead, every password can be different and difficult to guess.

We live in an age when more and more of our sensitive data is stored online. We need a better system for a second layer of protection from that data. Security questions are not the answer. We'd be world's better off if the second layer were simply a second password.

Why are security questions still a thing?

Let's Connect

Keep Reading

Run Loop n Times in JavaScript

Quick snippet to run some function n times using JavaScript.

Oct 06, 2021

Add Rake To Any Project

Rake is an awesome tool. You may want to use it in a non-Ruby project or a project that isn't configured for it.

Feb 22, 2016

Why Build Static Sites?

With all the tools at our disposal today, why would we waste our time building static sites? I'll give you four reasons.

Dec 04, 2018