Mildly Infuriating

For security questions I usually put a random long 10 word passphrase. LPT for you guys

Yeah, don't answer truthfully. My favorite food has been a waterslide for ages.

First partner is fine. First foreign country isnt terrible. The rest range from pretty bad to "what human thought this was a good security question"

The best insight I remember reading about questions as MFA, is to consider the answer as a password. If you use a password manager, don't feel forced to use actually true answers. The answer doesn't have to be true, you just need to know it. Use a password manager and invent answers which you store. This is so much more secure than relying on the truth.

Edit: others mention the same thing.

Just make the answers diceware passwords and store them in your password manager.

I always called them insecurity questions. Im almost sure its easier for someone or thing with a dossier on me to answer any of them than me.

One method to approach this is to use a simple personal algorithmically to create answers here. As in, you could put any security question in front of someone that uses this method, even those questions never seen, and the personal algorithm would produce an answer only the user would know. Here are a couple algorithms I made up to show an example for this post.

Input security question (the first from OP's list): What was the first stock you ever bought?

• Algorithm number one answer: eight - Algorithm: How many words in the security question?
• Algorithm number two answer: sold - Algorithm: Ignore all words except the verb, in this case "bought". Whatever the verb is, the answer is always the opposite verb.

This way you don't necessarily have to write down your security question answers. Most certainly never write down your personal algorithm. Using this method it is trivially easy for you (and only you) to produce an answer from any security question given to you and equally easy for you to reproduce the answer when you need it in the future.

So-called "security questions" like these are prohibited under various standards (there's a NIST one that I can't remember exactly, and OWASP ASVS) because they've always been really terrible at verifying it's actually you answering them, and not just someone who happens to know the answer. Mother's maiden name being the notorious example.

"What's the first app you installed on your smart phone?"

How many of these accounts can now be compromised by answering X/Twitter/Facebook/Instagram/What'sApp?

Most of these read like ads. Most of the rest read like information found in an advertising profile (the kind of info that ad companies purchase). Only a couple read like actual things people care about.

Doesn't need to be real answers. Can just use combo nonsense like correcthorsebatterystaple or whatever.

But yeah, lots of other people are fucked.

Wrong community. Extremely infuriating.

use a local password manager

you can usually log these questions and your answers in there.

make sure your answer has nothing to do with the content of the question.

Why would you answer the actual question anyway? That just means if someone knows the actual answer, they can get into your account. The question shouldn't matter. It should be treated as a secondary/tertiary/etc password.

These questions make me feel old as hell.

Choose questions, write them down, place the Q's & A's in the notes of your password app. Use paper to smoke them mara-ju-anas.

pick the first three, then always punch in your own version of "none1" "none2" "none3" as the answers. This isn't rocket surgery.

Nokia 5.1 Nothing else would make any sense to use.