Security questions are a strange part of the account log-in/security process. The idea is simple enough— add another factor, usually something only you know, to outfox someone who stole or guessed your password.
Unfortunately, the idea is WAY too simple to work well. It’s a practice that does not add security in a world of online databases and social media. With enough effort, anyone can answer any of the common preset security questions on behalf of almost anyone else. Here’s an example of common security questions.
These questions are intended to be personal and hard to answer, but they’re not. And yet, questions like this appear when opening new accounts with airlines, banks, and many others. It’s a poor form of additional security – like timed password changes – that many companies or their developers have not grown past.
So, when faced with security questions, how should you manage them?
Treat each question as if it read: Make up another strong password or passphrase. Answer with a silly or wrong answer to the question, or just ignore the question altogether and just enter something long and unique for maximum security.
When I’m asked for the name of my first grade teacher, I’m likely to answer something like: “Dogbreath Wainwright Clocktower.” My favorite sports team? “Lower Alaska Lawnmowers.” You get the idea. You should never answer security questions with the right answer.
Whatever they ask, answer with a crazy long string of words or characters. Make an entry in your password manager (with the silly question named) and you’re set.
Security questions are from a bygone era, where we all had secrets and lived anonymously. Don’t get fooled into using them the way they’re intended.