The Problem with Security Questions (And What to Do Instead)

"What was the name of your first pet?" "What city were you born in?" "What's your mother's maiden name?"

These security questions are supposed to protect your account if you forget your password. But here's the problem: the answers to these questions are often public information or easy to guess. Anyone who's looked at your Facebook profile or done a quick internet search might know these answers.

Security questions create a backdoor into your account that's often less secure than your front door. Let's explore why they're problematic and what you can do about it.

Why Security Questions Are Fundamentally Flawed

The Information Is Often Public

Think about the typical security questions you've seen:

• "What high school did you attend?" - Listed on LinkedIn and Facebook
• "What's your mother's maiden name?" - Findable through public records and family trees
• "What city were you born in?" - Often mentioned in social media profiles
• "What was your first car?" - You might have posted about it online
• "What's your favorite movie/book/band?" - Probably all over your social media

Someone determined to access your account can often find these answers with minimal research. This is exactly what happened in several high-profile celebrity account breaches - the attackers simply researched the answers to security questions.

The Answers Never Change

Your mother's maiden name will never change. Your birthplace will always be the same. These facts are permanent, which means once someone knows the answer, they can use it to access your account forever.

Compare this to a password, which you can change whenever you want. If you suspect someone knows your password, you change it. But you can't change where you were born.

They're Easier to Guess Than Passwords

There are only so many high schools, pet names, or cities. An attacker doesn't need to guess from billions of password combinations - they might only need to try a few dozen common answers.

Pet names, for example, tend to cluster around popular choices: Max, Buddy, Bella, Charlie. City names are finite. The answer space is much smaller than a strong password, making them vulnerable to guessing attacks.

They Bypass Your Strong Password

You might have a fantastic 20-character password with all the right complexity. But if someone can reset your password by answering a security question, all that password strength is meaningless. Security questions create a weak backdoor that undermines your security efforts.

The Fictional Answers Approach

The best strategy for dealing with security questions is to treat them like additional passwords: use random, fictional answers that you store in your password manager.

How It Works

Instead of answering truthfully, generate random answers:

• Question: "What city were you born in?"
  Real answer: Chicago
  Your answer: purpleelephant
• Question: "What was your first pet's name?"
  Real answer: Max
  Your answer: X9$mK2pL#vN
• Question: "What's your mother's maiden name?"
  Real answer: Smith
  Your answer: TrebuchetMajestic47

These answers are impossible to guess or research because they're completely made up. They're not based on any real information about you.

Storing Your Fictional Answers

Here's the crucial part: save both the question and your fictional answer in your password manager. Treat them just like you would a password.

Most password managers have a notes field or custom field where you can store this information. When you set up a security question, immediately add it to your password manager entry for that account.

Alternative Strategies

If You Don't Use a Password Manager Yet

If you're not ready to use a password manager, here are some compromise approaches (though not as secure as fictional answers):

The Personal Code Method

Create a personal formula for answering security questions. For example, always add a specific phrase to your real answer:

• Real birthplace: Chicago → Answer: Chicago2024BlueSky
• Real pet name: Max → Answer: Max2024BlueSky

This makes answers harder to guess while still being memorable. Just make sure your personal code isn't obvious or guessable itself.

The Consistent Fictional Identity Method

Create a complete fictional identity for security questions and use it consistently:

• Fictional birthplace: Always "Atlantis"
• Fictional pet: Always "Shadowfax"
• Fictional school: Always "Hogwarts"

This way you only need to remember one fictional answer per question type. Still, this is less secure than truly random answers stored in a password manager.

When Possible, Avoid Security Questions Entirely

Some services offer alternatives to security questions:

• Backup email addresses: Often more secure than security questions
• SMS or authenticator app codes: Sent to your phone for verification
• Recovery codes: One-time codes you save when setting up your account
• Trusted devices: Services like Apple allow account recovery through your other devices

Whenever you have a choice, use these methods instead of security questions.

Special Considerations

Phone Support May Require "Real" Answers

Some companies use security questions when you call customer support. If you've provided fictional answers, the support agent might be confused when your answer doesn't make sense.

This is actually a feature, not a bug. It prevents social engineering attacks where someone calls pretending to be you. Just pull up your password manager and read them your answer. If they ask "Are you sure your mother's maiden name is X9$mK2pL#vN?" simply say "Yes, that's what I have in my records."

Banking and Financial Accounts

Banks often rely heavily on security questions for phone verification. This is all the more reason to use fictional answers - financial accounts are high-value targets.

Some banks won't let you use obviously random strings. In these cases, use the consistent fictional identity method with memorable but false information.

Legacy Accounts You Can't Update

What about accounts where you set up security questions years ago with truthful answers?

1. Check if you can update your security questions in account settings
2. If you can, change them to fictional answers and store them in your password manager
3. If you can't change them, make a note in your password manager of what you answered originally
4. Consider whether you really need this old account - sometimes it's safer to close it

What to Do Going Forward

Generating Good Fictional Answers

If you want your fictional answers to be truly secure:

• Use your password manager's generator for completely random strings
• Alternatively, use random words like passphrases: "telescope-mountain-umbrella"
• Make them at least 12 characters long
• Don't use the same fictional answer for multiple questions or accounts

The Bigger Picture

Security questions represent outdated thinking about account security. They were designed in an era before social media made our lives public and before password managers made it easy to generate and store complex credentials.

The security industry is slowly moving away from security questions. More services now offer better alternatives like two-factor authentication, backup codes, and device-based verification. But until security questions disappear entirely, treat them as what they are: additional passwords that need to be random and securely stored.

Your mother's maiden name isn't a secret - it's public record. Your first pet's name isn't secure - you probably posted about it on Facebook. Don't trust your account security to information that anyone can discover. Use fictional answers, store them securely, and close one of the most common backdoors into your accounts.