Harry R. Schwartz

During sign up, some sites prompt new users to answer a series of security questions.

• “What street did you grow up on?”
• “What was your first pet’s name?”
• “What’s your favorite musical instrument?”

And so on. The putative purpose of these questions is to provide a mechanism for proving your identity to regain control of your account if you forget your password.

But if you answer these questions honestly, boy, that seems like a pretty big security hole! A determined attacker could identify my sixth-grade teacher, and favorite colors aren’t hard to guess. Even if I have a strong primary password, an attacker could use those security questions to route around it.

But the answers to these security questions are themselves just passwords, right? Why not treat them that way?

It’s 2020, and you’re reading a dorky blog for dorks, so you probably already use a password manager¹ to create and save strong, unique passwords. You can just as easily create random passwords to answer these security questions. They’re just text, after all.

I’ve been doing this for years, and it’s worked smoothly so far. The only wrinkle I’ve encountered has been when calling my bank’s customer service department; they always go along with it, but they’re often mildly surprised to learn that my favorite teacher was Mr. ootusa3thax2Pae.