It’s the year 2025 and, despite all our password managers and passkeys, online account theft is still common. One way I protect myself from those attacks is with the time-honored tradition of telling fibs.
What Are Security Questions?
Security questions are a form of MFA (Multi-Factor Authentication), where, after entering a password, you’re expected to also answer a question that “only you would know.” They’re facts like the name of your first pet or the town where you were born. They’re one of the oldest forms of MFA on the internet thanks to their simplicity.
Despite their age, and despite better MFA methods having entered the mainstream, security questions are still common on the internet. In fact, I had to make an important account just last week that required creating three different security questions. For my own security, I didn’t answer them truthfully.
Related
Why You Need a Longer Password
You probably know that passwords have a minimum length. Why do you need a long password, though?
Why Security Questions Are Insecure
While they’re a simple method of MFA, security questions are just too simple. They rely too much on a false premise: that these questions are ones only I could answer. Lots of people know my grandmother’s birth name, for example. It’s in court records, ancestry documents, published obituaries, and who knows where else.
I’ve noticed that many security questions sort of assume that you didn’t grow up with the internet. If you had the internet when you were young, blogs and social media in particular, there’s a good chance posts about your first pet are still floating around out there. In fact, I know exactly where you could look on the internet to answer questions like that about myself.
You can call this open source intelligence, often shortened to OSINT. If you know much about OSINT, then you know how easy it is to find intimate knowledge of someone on the internet using simple tools.
Related
Aside from scouring the internet, breaking security questions is as easy as just having a conversation with me or someone close to me. It’s called social engineering. For example, someone could impersonate an authority figure, like a tax agent, and ask me to “confirm my identity” by answering a question like my grandmother’s birth name. To avoid compromising your security questions, you have to be constantly on your guard against those kinds of sneaky attacks.
We can go even further, though. Let’s assume that you and everyone who knows you are wise to social engineering. You also have to face the fact that people who know you can take advantage of that fact. Ask any abuse survivor: just because someone is close to you doesn’t mean they’re a trustworthy person. The assumption that only someone close enough to you to know the answers to your security questions can also be trusted with account access is yet another false premise of security questions.
The Better Option for Security Questions: Lying
With all of that in mind, I’ve stopped answering security questions truthfully. If I’m forced to use a security question to keep my account from being compromised, I answer the question with a made-up and weird response. Where was I born? Narnia. What was my first pet? A reindeer named Bob. These aren’t answers I’m actually using, of course, but you get the idea.
Some people take this a step further and don’t put anything even recognizable as a word in a security question answer. What was your grandmother’s birth name? H41%hg67Vc0s5^jQ, perhaps. This would be like having a secondary strong password, and it makes your security question resilient against dictionary attacks. I’m not convinced that’s totally necessary, though, since the provider of my online accounts will probably lock my account if anyone tries more than a few guesses on a security question.
Now, you should not do any of this if you don’t completely trust yourself with memorizing your answers. Traditional security questions do have one big benefit: they’re easy to remember. Lying on your security questions takes that benefit away, because now you have to memorize inaccurate facts about yourself.
Related
The Best Password Managers of 2025
Using a password manager will make your personal information more secure, but which are the best?
It might help to write down these answers, maybe in the form of a family tree or a short story that describes a fictional life. If you’re like me, drawing pictures of those fictional people, places, and pets will help too.
Of course, you’ll want to make sure anything you write down is stored somewhere safe. You could store them in your password manager or, for extra security, a separate password manager. The important thing is that you never lose access to your account while still maintaining its security.
