Jun 24, 2013

Your Answers to Security Questions Should Be Random, Too

At LastPass, we often reiterate the need for randomly generated passwords in order to increase your online security. A feature that often gets overlooked are the security questions that your sites and services may have you fill out as you register.

In theory, security questions are slightly more obscure, but still personalized questions that you create answers for, that will later be of help if you need to "prove" your identity when recovering access to an account or contacting a customer support team. However, the questions can create a security loophole. On top of the increased risk, if you're using a password manager to store your passwords, there's no reason you should have to go through the recovery process.

That's why we recommend "generating" your answers to your security questions, or creating falsified answers that you can then securely store in LastPass for reference. This ensures that security questions cannot be used against you should someone try to gain unauthorized access to one of your accounts - this is how Sarah Palin's email was hacked, and how other individuals have fallen victim to violations of their personal privacy.

It's easy to get started with random security answers when you're registering for a new site. When you're presented with a question, simply click the LastPass icon in your browser and select the "generate a secure password" option. You can click the "advanced options" box to customize the characters, and even make the password pronounceable:

You can then use the "copy" option to copy-paste the password into the answer field for the question, and submit the information on the site. Once you've saved that site to LastPass, ensure you've also pasted the generated password into the "notes" field in the edit menu for the site entry, indicating that it's the security answer for your account.
If you know you're using personal information for security answers, set aside some time to login to those accounts, generate a new "answer" with LastPass, and store the update in your site entry. Accounts for online banking, email, social media, and credit cards are all good places to start.


Have a question you'd like to see answered by the LastPass team in a blog post? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!