Security questions are evil. I am not even convinced that they are a necessary evil. In my younger days I would answer each security question with some variation of “F*** YOU” and then diligently record each security question and answer in the Excel file I kept for recording my passwords. Now I use a password manager and only have to remember one password in order to access the 583 logins I have stored in there. (Is that a lot? It seems like a lot.) Life is good.
Unfortunately, I have not escaped the security questions. Not only am I still having to answer security questions in 2022 but I sometimes still have to record my answers to them.
I am looking at a website right now and here are some “good” security questions:
- “What year did you graduate from high school?”
- “What was the make and model of your first car?”
- “What school did you go to in the sixth grade?”
Here are some of the poor questions:
- “In what city does your nearest sibling live?”
- “In what city did you meet your spouse/significant other?”
- “In what city do you want to retire?”
- “What is your favorite television show?”
- “As a child, what did you want to do when you grew up?”
Good questions are historical facts and not open to interpretation or change.
The year I graduated from high school is not going to change. My first car is forever going to be my first car (at least until time travel is invented).
My nearest sibling may move. A relationship may end. I may realize my retirement funds won’t be enough to buy a condo in Porto and readjust my preference. I may decide that The Wire is a better show than Deadwood. My kids have a different favored adult profession seemingly by the hour. I imagine I was the same.
All of those poor questions have answers that are subject to change. The good questions are typically used by many of the sites you interact with which leaves more of your personal data getting exposed in a breach.
I’m not sure if there is a good answer to this. I wonder if maybe the combination of a password and a personal passphrase would be any better? I could store both of them in my password manager and still only need to remember my one password. Needing to write down two pieces of information for a site might be enough to convince the holdouts to finally pick up the password manager.