Why you should lie in your password-recovery questions

Sometimes, the safest choice is to lie.

We've all been there: You try to log into a rarely used online account only to realize you've forgotten the password. It's password-recovery time, and before you know it you're scratching your head trying to remember the name of your first pet and what your favorite movie was 3 years ago. You've already screwed up, just not in the way you think.

Your first mistake, it turns out, was answering those dumb security questions accurately in the first place. The idea of password-recovery questions is simple. If you forget your login credentials, there's a backup way to get into your account. The problem is that often the information required to pass those minor-security hurdles is easily found via a quick Google search.

Just ask former vice-presidential candidate Sarah Palin. In 2008, a 20-year-old college student broke into Palin's Yahoo email account. He accomplished this task by using the internet to determine her ZIP code and birthday, and then resetting her password via the password-recovery tool.

Essentially, he just Googled his way into her account.

And while we shed no specific tears for Mrs. Palin, the lesson learned is still a painful one. Answering password-recovery questions honestly is opening yourself up to a potential hack. We all know this, and yet many services still require you to answer their dumb questions in order to create an account.

There's a way around this, of course. Lie.

But before we get into that, a quick note: You should use a unique password for every single online account you have. That's a different password for Twitter, Gmail, Reddit, Netflix, Spotify, and whatever other online services you may use. That's because when one platform gets hacked (and stuff always gets hacked), bad actors will often try something called credential stuffing — entering email and password combinations stolen from one service into other online services — in an effort to leverage the hack of, say, a Dunkin' Donuts account into illicit access to someone's bank account.

Sure, remembering all those unique passwords is difficult. That's why you should use a password manager. Services like LastPass and 1Password only require you to remember one strong passphrase (and use multi-factor authentication), and then they do the rest.

Original image has been replaced. Credit: Mashable

Password managers also have another handy feature for the security inclined. Specifically, you can save "secure notes" on LastPass and other similar services.

That means, instead of having to remember the real answers to your password-recovery questions — potentially setting yourself up for a Sarah Palin-style hack in the process — you can just make up random gibberish (or use diceware to create something even more secure).

That way, anytime you forget your password and are prompted to answer recovery questions you can log into your password manager and pull up your fictional answers.

Of course, with a password manager you likely won't find yourself in that position in the first place.