The answers to security questions should be treated like passwords. In reality, we're a little too open with them.
Security questions have played an important role as a failsafe for password retrieval. In their heyday in the 2000s, security questions became a form of self-service password reset, of course, to reduce IT help desk costs. But already 15 years ago, security experts questioned their usefulness. Why? Because your mother’s maiden name or your pet’s name are easily retrievable on today’s stalkernet. Hackers need only write simple programs to scrape your social media pages and, in the US, data broker sites (have you checked out our opt-out guide yet?!?) to gather enough plausible information on you. No need to go shopping on the darknet for your social security number, you’ve likely already given up enough to piece together your answers to your security questions.
That sucks, right? Well, take heart. Some sites have caught on; the criminal violation of some female celebrities' photos in 2014’s Celebgate no doubt spurred them on. Banks now have over 150 options of questions to ask, and some sites ask you to make up your own questions.
But are you satisfied with that? Should you be? You know the answer. So, here’s what you can do:
Remember that a security question is just another password. Generate a random password and use that to answer the questions; even used consistently, you’d be safe to say YqGAH7nE was the city where your parents met. (Any other child of divorce find that question triggering?) Ideally, you’d generate these responses in your password manager and save them there, too, in the notes field for that particular website’s entry. You can also use a randomizer if slapping at the keyboard feels too unscientific.
Answer the questions wrong. That's right, we encourage you to lie like a political appointee in America’s current administration. Plus, it can be fun to imagine you met your partner in Ulaanbaatar instead of at college, for example, or that you named your kid what you wanted to name her. You can do that one of two ways: consistently, which is slightly less secure, but makes the answers easier to remember if you don’t want to store them securely or write them down. Or you can make them up randomly each time, and add the wrong answers to your password manager, like in #1.
If a security question is a form of shared secret, make it a secret worth keeping. And maybe, collectively, we can begin to rethink what’s private knowledge, and not simply vestiges of the patriarchal, colonial, capitalist white supremacy we inhabit.