When security questions and password hints are required for your accounts, you might not be filling them out wisely. To best protect your account security, you shouldn’t be truthful in these fields.

Understanding Password Hints vs. Security Questions

While these two account security features sound similar, they’re not the same.

Password hints are just that—a small tip to help you recall a password you’ve forgotten. These are available to anyone who can reach the prompt to enter your password, meaning they shouldn’t be too revealing. Depending on the service, your hint might only appear after you enter an incorrect password several times, or become visible by clicking a button on others.

While password hints aren’t as common as they used to be, some online services still use them. macOS includes a password hint option, as does Windows 11 (though only if you use a local account).

Security questions, meanwhile, are a layer of security used as a form of two-step authentication, or to verify your identity when you get locked out of your account. When logging in on an unfamiliar browser or recovering your account, you might need to confirm the answer to one or several questions.

While your first instinct with both options is likely to answer honestly, that’s not a good idea from a security standpoint. There are better ways to use these fields, whether you’re forced to use them or want to.

Use Random Passphrases for Security Questions

The problems with security questions are well-documented. Because these questions typically ask about publicly available information, it’s too easy for anyone with malicious intent to get hold of the answers.

Your mother’s maiden name, favorite color, street you grew up on, and similar bits of info are accessible with some poking around on social media and public records. Even worse, some security questions have a limited pool of answers; there are only so many possible favorite colors, for instance.

Related

8 Sneaky Ways Hackers Steal Your Security Question Answers

Think your mother’s maiden name is a secret? Hackers don’t.

Thus, the best way to use security questions is to give fake answers. But you shouldn’t give a false answer that still fits the question and would thus be easy to guess. Instead, you should treat each security question like another password field and choose a random passphrase that’s near-impossible to guess.

For example, rather than lying that your mother’s maiden name is “Griswold”, your answer to that question could be “Gratifying Lambasted Narwhals”. This is unrelated to the question and extremely tough to guess, but not hard to remember—one of the key advantages passphrases have over passwords.

Keeping Your Security Question Answers Safe

Ideally, you should store these made-up answers in a password manager so you don’t have to remember them. Using a password manager is essential for your online security in many ways, including this. If you haven’t made your passwords more secure with a password manager yet, it’s the best step you can take.

Depending on your password manager, there might be a specific option for security questions. If not, use the Notes field for that website (all password managers offer this). Then when you log in, you only need to copy and paste your passphrases.

Make Password Hints Meaningful to Only You

Password hints shouldn’t help anyone guess your password. The easiest way to accomplish this is to use a password manager for everything and set your hint to “password manager”.

y memorizing a strong master password for your password manager, you don’t have to worry about hints for other passwords. Don’t name the password manager you use, as that reduces the number of apps a potential attacker will try to break with your email address.

If you aren’t using a password manager for some reason, password hints are trickier to use safely. Generally, if your password is simple enough that you can describe it with a hint (such as “childhood school plus dog name”), then it’s too weak.

A better setup is to use a passphrase pattern that has non-obvious meaning. You might choose every second word of a song, the middle five words of a quote, or similar—the more obscure, the better. Then your password hint could be something like “best quote” to spark your mind without giving it away.

For the most important passwords, like your password manager’s master password, you could consider a physical backup copy. Then the hint can provide a clue to where it’s safe at home (“in the middle of the last book you read”, for example).

Should You Use Either Option?

The above advice is useful for accounts that force you to use security questions or a password hint. But when possible, you should choose to skip these options or turn them off. Every other two-factor authentication method is superior to security questions; you’re much better off using an authenticator app.

It’s worth doing an audit of your accounts to turn off security questions if you’re able, or adjust your answers to make them stronger. This is especially true for accounts you’ve had for a long time, as they’re more likely to be grandfathered into using security questions.

A particularly nasty case is security questions where you’re limited to a dropdown menu (United Airlines is a culprit). When you’re stuck with these, you still shouldn’t answer honestly. Further, you should select questions only you would know the responses to, rather than those someone could answer with public info.

Looking at United’s security questions as an example: your favorite sea animal is a better question than the month your best friend’s birthday is in, even when making up an answer. There are only 12 months, while there are more kinds of sea creatures—plus you’re less likely to have shared the latter in person or online.

Everything around passwords is stronger when it’s random. That extends to both security questions and password hints. When you’re forced to use them, make up a random answer that you store in your password manager for safekeeping. And when you have a choice, turn them off and use a stronger 2FA method.