George Hodan/

After massive Yahoo hack, a new way to think about security questions

Treat your security questions like a riddle only you can decipher.


Aaron Sankin


Posted on Sep 23, 2016   Updated on May 25, 2021, 10:45 pm CDT

On Thursday, Yahoo confirmed it had been hacked really, really bad—500-million-accounts  bad.

“A recent investigation by Yahoo … has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” the company wrote in a statement. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

Let’s say you’re the owner of one of those half-billion Yahoo accounts. You’ve changed your password and, since you were smart, you didn’t repeat that same password across other online accounts, which would put those accounts at risk as well. (If you did use that same password for other accounts, let this be a lesson that you need to STOP DOING THAT).

That’s not the only less here. You should also update your security questions, but doing that poses a problem: Your password may change, but your mother’s maiden name, for example, is forever.

A much better way to think about security questions is to treat them like a riddle to which only you know the answer, but has no basis in reality.

The fundamental weakness in the security questions typically used for password recovery is that, like Social Security numbers, they’re usually permanent. They are often easy to for a dedicated attacker to guess. When a hacker compromised the personal email account of erstwhile Alaska Gov. Sarah Palin—a Yahoo account, by the way—all it took was guessing the answer to her security question, which was about where she met her spouse. The answer, as it happened, could be located on Palin’s Wikipedia page.

The problem is that people treat security question like things that should be answered with the objective truth. A much better way to think about security questions is to treat them like a riddle to which only you know the answer, but has no basis in reality.

A good way to do this is to set up a system that applies arbitrary information to your security question answers. 

So, say you use one that’s entirely based on The Simpsons. If a question asks where you met your spouse, set the answer as “Springfield High School.” If a question asks for the name of the street where you grew up, set the answer as “Evergreen Terrace.” If it asks for the name of your first pet, say “Santa’s Little Helper.” It works because, honestly, you probably have a better grasp on Simpsons trivia—or whatever nerdom you subscribe to—than you do on the actual details of your own life.

Or just set all your answers to different types of tacos, because, if you know one thing in this crazy, mixed-up word, it’s that tacos are delicious.

Whatever system you pick, make sure that it’s easy to remember. In that case, even if you forget the specific answers you set to each individual question for each individual site, you should still have a pretty good idea of what your answer were.

If you do all that, you’re just ensured all of your online accounts are just that much more secure.

Share this article
*First Published: Sep 23, 2016, 6:05 pm CDT