Most accounts of any type today (e-mails, MMOs, private sites of any kind, even very important to be secure ones like payment and transaction sites) use for password recovery a series of security questions.
The problem is that today they do less good then bad. And I’m going to explain why.
Almost all security questions from any type of site are presets. They ask you stuff like birth dates, friends/pets names, known locations (like school, etc).
The problem here is that even persons that are not close friends can guess them or find them extremely easy.
And if you don’t give real answers you’ll have a lot of trouble remembering them yourself.
So the disadvantages are clear: either users forget them or they are totally insecure. Both ways lead to you being unable to access your account, because someone else either got it from you or you’re locked out due to not using the secure answers since long time ago.
The solution to all this is to make it so that you have answers that cannot be anticipated/guessed by friends or by the ones that due to your own stupidity of sharing everything on social sites, but in the same time, you will remember them at any time, even if unused for ages.
The trick is to add something unique to the standard answers. It can be anything, no one can know; the important thing is for you to remember it as your personal universal unlock key.
Let’s get an example: a site asks for the street number of your first address street as a security answer. Let’s say the number is 100.
Now, instead of just answering 100, which you will remember, but it will be vulnerable to any friends, you answer 100k.
No one will ever be able to know that you can actually answer 100k to that question.
Where does the ‘k’ come from ? Well, call it your personal unlock key. Never write it or tell it but make sure you always know it. It can be anything: a number, a name, a character, a letter, as long as it’s totally unrelated to your life.
It will be as secure for you as it’s unrelated to you. For example, if you’re a banker, it would be stupid to use $ as your personal key. But if you use a word like ‘battery’ it wont have anything to do with your activity. Same, if you’re a car mechanic, don’t use ‘battery’, but use something as unrelated to cars as possible, like ‘orange’. If you sell oranges to the market, use something like ‘light bulb’.
Now the answers to possible security questions, instead of things like ‘1984’ and ‘cat’, become ‘1984orange’ and ‘catbattery’ which are practically impossible to be guessed/assumed even by close friends.
I think you got the picture.
So there you have it. Using otherwise standard answers, but with you personal key added to them they become immune to friend-finding and you also wont be able to forget them, since you know your key and the answers are based on the actual facts about your pets/locations/dates/friends, etc.
This way, you increase your account recovery rate from an average 40% (a rate that is decreasing even more at this time) to something next to 98%.
If somehow the personal key gets compromised, change it to another. But better to be safe than sorry. Remember, you’re always watched !