Summary

Many online services, especially ones that have been around for a while, will ask you to create password hints when creating an account with them. Password hints are a terrible idea, and you shouldn’t use them. Let’s go over why, and what you’re able to do instead.

What Are Password Hints?

If you were around at the beginning of the web, you’re probably more familiar with password hints than any younger readers. Back then, most of the time when you created an account you also had to prepare some questions in case you needed to reset your password. When you requested a password reset, you would then have to answer these questions before you continue.

The purpose of these password reset questions, also known as security questions or password hints, was to have a backup method to authenticate a user. As a result, they often involved questions that only you would know. Think of stuff like the name of your first pet, your mother’s maiden name, the street you grew up on, all that.

There are also variants where you make your own questions, but the risk here is that you may forget what the answer was. Even worse are password hints that help remind you of the password—this directly encouragesusing non-random (and therefore insecure) passwords.

Why Password Hints Are a Security Risk

As convenient as they may seem—you don’t just get a password reset on request, you need to prove who you are first—password hints are a terrible idea, and you should never use them. This is because they don’t add a layer of security, but a layer of vulnerability, instead.

The way to create better security is to decrease the attack surface, places where an attacker can try to gain access. Passwords themselves increase your attack surface, but they’re an unavoidable necessity, as without them, you couldn’t get in—even in apasswordless future. Password hints further increase the attack surface as they give attackers a way to find out your passwords.

This is becausestrong passwordsarerandompasswords. Password hints aren’t random, you can figure out the answers pretty easily. Things like your mother’s maiden name, your pet’s name, the street you grew up on are all facts that are extremely easy to figure out.

Most people’s social media contain information like this, and even not, a simple feat ofsocial engineeringcan get this information out of you or somebody you know. After all, while few of us would willingly hand over our passwords, we would likely share our childhood address if asked something like “hey, I’m from that neighborhood, too! I grew up on Madison Street, how about you?” Answer it truthfully, like almost any person would, and you gave somebody access to your password reset function.

The only answer to avoiding this issue is to simply not use password hints or password reset questions. Sadly, some companies—looking at you, Microsoft—seemingly don’t care about the huge risk they pose and demand that you use them. All you’re able to do in this case is add a gibberish answer (you could even save it somewhere safe, if you wanted to be extra secure).

That leaves you with the question of how you’re able to secure your accounts. After all, without hints you probably won’t be able to reset your password.Password managerssolve this issue: these handy programs generate, store, and autofill your passwords for you. Using them means you likely won’t ever need to reset your passwords, and thus giving gibberish answers won’t harm you.

Password managers are a great tool besides making password hints obsolete. They do all the heavy lifting onpassword hygiene, meaning other password-based attacks are much less likely to be successful, too.