Introduction
"What is your mother's maiden name?" "What was the name of your first pet?" "What street did you grow up on?"
For 20 years, these questions were the gatekeepers to our digital lives. If you forgot your password, these "secret" answers were your backup key.
There is just one problem: None of this is a secret anymore.
Thanks to social media, public record scrapers, and data breaches, hackers can answer these questions better than you can. In 2025, relying on Security Questions (Knowledge-Based Authentication) is not a safety netβit is a backdoor left wide open.
In 2008, a hacker reset Sarah Palin's Yahoo email password simply by Googling her birthday, zip code, and where she met her husband. No coding required. Just Google.
The Problem with "Shared Secrets"
Security questions rely on Static Knowledge. Unlike a password (which you can change), you cannot change your mother's maiden name. Once that fact is leaked in a data breach (like the Equifax breach), it is burned forever.
Furthermore, the answers are Finite. Question: "What is your favorite color?" Attacker: Writes a script to try the top 20 colors. They will crack it in seconds.
Social Engineering & OSINT
Open Source Intelligence (OSINT) is the art of finding information about people from public sources.
-
Question: "What is your high school mascot?"
-
Attack: Hacker finds your LinkedIn profile -> Finds your High School -> Googles the mascot.
-
Question: "What is your pet's name?"
-
Attack: Hacker scrolls your Instagram feed until they find a dog photo tagged "Happy birthday Buster!"
Attackers don't need to hack your computer. They just need to follow you on Facebook.
NIST Says: Stop Using Them
The National Institute of Standards and Technology (NIST) explicitly advises against using KBA for account recovery.
NIST SP 800-63B: "Verifiers SHOULD NOT offer a mechanism to reset a memorized secret that requires the claimant to answer knowledge-based questions."
Translation: Kill the security question.
Better Alternatives for Recovery
If users forget their password, how do they get back in?
- Email Magic Link: Send a time-limited, one-time link to their verified email address. (Standard for most SaaS).
- SMS / Authenticator Code: Send a 6-digit code to their verified device. "Prove you have your phone."
- Backup Codes: Generate a printable list of recovery codes at signup (like Google and Apple do).
- Identity Verification: For high-value accounts (Banking), require a photo of a Driver's License or a video selfie.
Recovery must be harder than Login. If resetting a password is easier than logging in, attackers will always attack the reset process.
If You MUST Use Them (Best Practices)
If you are stuck with a legacy system (like a utility bill or old bank) that demands them:
Treat them like passwords.
- Question: "What is your father's middle name?"
- Your Answer:
X7#m9$L2(generated by your password manager).
Do not give real answers. Store the fake answer in the "Notes" field of your Password Manager entry for that site. This turns a weak security question into a strong secondary password.
Conclusion
Your life story is not a password. It is a public record.
As businesses, we need to stop asking these questions. As users, we need to stop answering them truthfully. The era of Knowledge-Based Authentication is over; let it rest in peace.
DynamicPassGen Security Team
Security Research & Education
Our security team stays current with the latest password standards, authentication methods, and cybersecurity best practices to provide accurate, actionable guidance for users and organizations. We analyze emerging threats, study real-world breaches, and translate complex security concepts into practical advice you can implement immediately.