Security Questions: Secret or Shortcut?
Security questions can be your safety net—or your trap door.
“What’s your pet’s name?” sounds harmless… until attackers find it plastered all over social media.
Best Practice: Ditch Predictability
- Skip standard questions.
- Go custom, obscure, or deliberately fake (stored securely in a password manager).
- ZebraSoup27 beats “Springfield Primary” every time.
Top Tip: MFA First, Questions Last
- Use multi-factor authentication wherever possible.
- Treat security questions as a last-resort backup, not frontline defence.
Real-World Rethink: Salon Scandal
A salon owner’s email got hijacked via a password reset.
The attacker guessed her first school, straight from Facebook.
One random string could’ve stopped the breach. One.
What to Do
- Audit recovery settings across all accounts.
- Elevate your question game, treat answers like passwords.
- Choose info an attacker can’t know, can’t find, can’t guess.
Philosophy of the Fix
Security isn’t just about what you say, it’s about what you keep silent.
Your best answer? One they’ll never think to ask.
Let me know if you want to roll this into a mini-campaign: “Guessproof Your Answers” with poster hooks, training snippets, or even a gritty FAQ-style web module. Happy to riff!
