Quick, what was your favorite movie back in 2010? What’s that, you don’t remember? Hmm, well maybe that’s not a good way for you to log into your bank account after all. Especially since you probably raved about it on Facebook a decade ago and now anyone with an internet connection can try hacking into your account with that not-so-secret knowledge.
Yep, it’s true: despite the name, security questions are NOT secure. They’re anything but. People at least try to keep their passwords a secret, but nobody tries to hide the name of their pet or the mascot of their high school or the model of car that their aunt’s cousin’s sister’s cat drives. In fact, people willingly share info like this all the time with the world via social media, and much of the rest is available from public records. If it only takes an attacker a few minutes of Googling in order to reset your account password, that’s a “security” level roughly on par with a bank vault made of cardboard. It doesn’t matter how strong the front door is if thieves can just go in the back door.
But what is one to do? So many sites these days require you to set security answers. What’s the alternative?
The solution is simple: just enter another password!
But how am I supposed to remember the answers then?
You don’t! You can just enter both the security questions and their associated answers into any decent password manager—you should REALLY be using one anyway.
And in fact, any decent password manager will even generate those “passwords” for you, in order to make sure that they’re truly random (and it’s convenient, too!). This way, your strong password cannot simply be bypassed by answering a security question, since the security answers are just as hard to guess as the password is!
The main caveat here is that many companies like to ask the security questions if you call them over the phone, and trying to tell them that your dog’s name is Zz%u2XujscZrzN$xYa0lvY (“ZZ” for short!) is slow and painful. Not only that, but the representative may see a bunch of random characters, think that their system isn’t working, and fall back to some less secure method. Or even worse, they might simply accept “it’s just a bunch of random letters” as a valid answer!
So consider using a password generator like Correct Horse Battery Staple here. Or if the question asks for a person’s name, you could try using something like the Behind the Name Random Name Generator. Now the name of your high school can be Antonia Raquel Justine-Preston High! If your password manager doesn’t generate what you want, you can always just use a separate password generator and paste that into the password manager.
So why not just always use correct-horse-battery-staple-style passwords? Well for one, not all password managers support it, and having to use a separate password generator is a pain. Plus, many websites still have lots of arbitrary restrictions on password length (e.g. 8-16 characters at most), and correct-horse-battery-staple-style passwords usually have to be much longer in order to reach the same level of security.
Conclusion
Hopefully, this article has helped open your eyes to how truly terrible security questions are. Even more hopefully, the powers that will someday find better ways to provide backup access to our accounts. But until then, the best we can do is work within the system we have—just in a smarter way than everyone else.
The Readyist 
3 thoughts on “Stop using security questions!”