Security ProTip: Fake Security Question Responses

There are a lot of web sites (banks come to mind) that force you to add a series of security questions to your account, and you often don’t get to pick the security questions.

This is a terrible security practice.

Security questions are as good as a password usually, and they’re usually asking you things about your own life that aren’t changeable, and that people can possibly learn about you. Even worse, you don’t know whether a web site is storing these responses at rest in plain text. If they are and you gave the web site your real high school nickname, then you’re one data breach away from having the world know that people in high school called you “Harps.”

But no one says you have to tell the truth when providing answers to these security questions. Instead, use your password manager to generate fake security question responses and put those in as passwords:

entering fake security responses into 1Password

I choose to have 1Password generate memorable passwords that are multiple words with spaces as separators between the words, and I also set these up as passwords in 1Password (instead of text) so that they are masked by default, and so I can just click them and copy to my clipboard. It’s also easy to reveal them in case I’m calling customer service and I need to recite them over the phone.