Security questions are the leftover authentication method that nobody likes but most institutions still use. Mother’s maiden name. First pet. Street you grew up on. The premise is that only you would know the answers. That premise was already shaky in 1995 and has been demolished by the rise of social media, public records databases, and routine data breaches. Security questions are one of the weakest links in the authentication chain, and treating them as an afterthought is exactly how accounts get compromised.
The answer space is small and predictable
Most security questions draw answers from a limited set of common possibilities. First pet names cluster heavily around a few popular pet names. Childhood streets in the US skew toward a few common types. High school mascots are publicly searchable in seconds. Researchers studying security question entropy have shown that an attacker with basic demographic information can guess correct answers at rates well above what credentials should ever allow. The questions that feel personal are usually the most predictable in aggregate.
Public information has eaten the privacy assumption
The original idea behind security questions assumed an attacker wouldn’t have access to your biographical details. Today, mother’s maiden name appears in genealogy sites, marriage records, and family social media posts. Your first car is in old Facebook photos. Your high school is on LinkedIn. Your hometown is in your bio. The information that security questions test is exactly the information people post publicly. Sophisticated attackers don’t even need to guess โ they can research.
Breach data has poisoned the answer pool
Major breaches have leaked security question answers from millions of accounts at services that stored them in plain text or weakly hashed form. Once your answer to “first pet” is in a breach corpus, it’s permanently compromised across every service that uses the same question. Unlike passwords, which security-conscious users rotate, security question answers tend to stay constant for life. A leaked answer from a 2014 breach is still your answer in 2026 unless you’ve deliberately changed it, which most services don’t even support.
The fix is to lie consistently
The practical defense is to treat security questions as additional passwords, not as biographical trivia. Generate a random string, store it in a password manager, and submit that string as the answer to every security question. Your first pet’s name is now “qX7!mZ4pLk2$rVn8” and your mother’s maiden name is something similar. This kills the public-information problem because no one can research a random string. Most password managers have a notes field or custom field exactly for this purpose. It feels absurd the first time you do it; it’s standard practice in security-aware households.
The takeaway
Security questions were a mediocre idea when they were introduced and a clearly bad idea now. The threat model that justified them no longer matches reality. Don’t answer them honestly โ answer them with random strings stored in your password manager, and treat every prompt to set up new ones as another password to generate, not a memory test.
Leave a Reply