Cybersecurity 
The European Union (EU) is redefining its digital landscape with sovereignty, security and trust at the core. In the 2025 EU State of the Union, Commission
6 min read
Published on May 17, 2024
Updated on September 19, 2025.
Security questions are commonly used by websites and apps to verify your identity, typically as a backup during password recovery. These questions ask for personal information, such as your mother’s maiden name or the name of your first childhood pet, to confirm you are who you claim to be. However, since the answers to some security questions can be found online or are easy to guess, it’s important to follow best practices: choosing questions only you can answer, making your answers complex or unrelated to the actual question and avoiding reusing the same questions/answers across multiple accounts. Because of these security concerns, it’s best not to use security questions as a form of Multi-Factor Authentication (MFA) and, if given the option, choose a more secure method, like a passkey or hardware security key.
Continue reading to learn what makes a strong security question, examples of good security questions and answers and stronger alternative authentication methods.
Types of security questions
Security questions can be categorized into two main types: user-defined and system-defined. User-defined security questions allow you to create your own questions and answers, offering more flexibility and personalization if the questions and answers are well chosen. However, poorly worded or overly simple security questions can make your account vulnerable to being compromised.
System-defined security questions are pre-selected by the service provider, such as “What is your mother’s maiden name?” or “What was the model of your first car?” These are easy to set up but often rely on information that others can find online, making these security questions less secure unless you use creative or non-obvious answers.
What makes a good security question?
When creating or selecting a security question, it should meet certain criteria to keep your online account safe. Here are some of the key characteristics of a good security question:
- Confidential: The answer should be known only to you and not easily found online or through social media. Avoid security questions with answers like your hometown or pet’s name if that information can be found through your digital footprint.
- Memorable: You should be able to easily remember the answer to a security question without having to write it down or look it up. However, be certain that someone would be unable to find this answer about you online by looking at your social media profiles.
- Consistent: The answer should remain the same over time. For example, your favorite movie may change, but the city where your parents met will stay the same.
- Specific: The question and answer should be straightforward, without requiring complex formatting or multiple steps to remember.
- Unpredictable: The answer should not be easily guessable or accessible through public records. Avoid security questions with common answers, such as your favorite color or month of the year.
Best practices for security questions and answers
Regardless of which type of security question you use, following best practices when answering security questions can make your accounts more secure. Here are several strategies to help protect your personal information more effectively.
Use different security questions for different accounts
Just like with passwords, reusing the same security question and answer across multiple accounts jeopardizes your security. If one of your accounts is compromised, cybercriminals can use the same information to access others. Always use unique question/answer combinations for each service when you can.
Avoid self-written questions
While user-defined security questions can offer more customization, they can also increase security risks if not carefully crafted. Many people write security questions that are too simple, too personal or too easy to guess. If you want to write your own security question, make sure it isn’t something someone can guess or find online.
Choose multiple security questions when possible
If a service allows you to set up more than one security question, take advantage of that. Using multiple security questions adds more layers of protection, making it challenging for someone to access your account by guessing or researching only one answer.
Update your security questions periodically
You should regularly review your security questions to maintain the security of your accounts. Consider updating them periodically, especially if the answers may have changed over time or if you think they may have been compromised.
Set a minimum length for answers
Short answers are easier for cybercriminals to guess or crack. It’s safer to choose longer answers or add complexity to make your responses harder to predict. If the service doesn’t enforce a minimum length for security answers, set your own personal criteria — aim for answers that are at least 10-12 characters long.
Give incorrect or unrelated answers
As long as you can remember or securely store your answers, consider giving incorrect or unrelated responses to security questions that only you would know. For example, if the question is “What was your first pet’s name?” you may answer “Strawberry Milkshake” even if that wasn’t your first pet’s name. Creating an extra layer of obscurity with your security answers will make it more difficult for cybercriminals to access your accounts.
Bad security question examples
Not all security questions offer the same level of protection. Here are examples of bad security questions and why you should avoid using them:
| Security question | Reason why it's a weak security question |
|---|---|
| What city were you born in? | Generally available to the public via social media or public records |
| What was your first car? | Often known by family and sometimes mentioned in online conversations |
| What is your favorite song? | Preferences change over time, so the answer might not be consistent or memorable |
| What is your astrological sign? | Easily guessed based on your birthday, which is often simple to find online |
Good security question examples
Good security questions are challenging to guess, not easily found through online research and memorable only to you. Here are examples of strong security questions and why they’re more secure:
| Security question | Reason why it's a strong security question |
|---|---|
| In what city did your parents meet? | Personal but not commonly known or easily searchable |
| What was your eighth-grade math teacher's name? | Specific and memorable to you but unlikely to be found by others |
| What is the middle name of your oldest cousin? | An obscure family detail that is not generally shared online or outside your family |
| What was the first concert you went to? | Memorable and unique to your history, and difficult for others to guess |
Alternative authentication methods to security questions
While security questions can be effective if you choose and answer them properly, they aren’t the most secure form of authentication, especially if your answers are easy to guess. Luckily, there are more secure alternatives available to authenticate your identity. If a service offers any of the following authentication methods, you should consider using them instead of or in addition to security questions:
- Hardware security keys: A hardware security key is a physical device, like a USB, that provides security when authenticating. Once registered to your account, tap or insert the key to verify your identity during login. Hardware security keys are phishing-resistant, making them a highly secure method of authentication.
- Passkeys: A passkey is a modern, passwordless authentication method that uses a cryptographic key pair. When you log in, you’re prompted to verify your identity with biometrics or a PIN. Passkeys are not only more secure than passwords and security questions, but they’re also easier to use.
- Time-Based One-Time Passwords (TOTPs): A TOTP is a Two-Factor Authentication (2FA) method that generates a temporary code using an algorithm. TOTPs are delivered through an authentication app and expire after 30-60 seconds. Since codes change frequently and aren’t sent over the internet, TOTPs are a safe form of authentication.
Store your security questions and answers with Keeper®
Although security questions are important in account recovery, they carry serious risks if not used and stored correctly. We recommend using a password manager like Keeper® to securely store your security questions and answers, so you don’t have to rely on your memory or insecurely stored notes. Keeper makes it easy to manage all your login credentials and sensitive data in an encrypted, digital vault — keeping your online identity safer and more organized.
Start your free trial of Keeper today to improve how you store your security questions and answers.
Frequently asked questions
What information can be used as a response to a security question?
You can use any piece of information as a response to a security question, but it’s best to choose something private, memorable and hard for others to find online. Avoid using answers that are publicly available or easy to guess, like your pet’s name or your birthday. Information that you can use in your security answer includes obscure family details, meaningful personal experiences or completely false answers that only you would know are made up. In fact, using unrelated information in your security answers can actually improve security — as long as you store your answers securely in a password manager like Keeper.
When do I use a security question and answer?
Security questions and answers are generally used to verify your identity when you need to perform sensitive actions on an account. Common scenarios where additional verification is required to confirm your identity include resetting your password, changing your contact email address or deleting your account. Some platforms may prompt security questions when they detect suspicious activity, such as logging in from an unfamiliar device or location.
How can I protect my security question answers?
You can protect your security answers by storing them in a dedicated password manager like Keeper. Instead of using easily guessable answers, create strong, unique responses that are challenging to guess and may even be unrelated to the actual question. A password manager like Keeper can securely store your answers alongside your login credentials for that platform, so you don’t have to remember them yourself or risk storing them insecurely.
