Why can't I make up my own security questions (and answers, of course)?

Your problem is you’re overthinking the answers. Answer them as if you were in a conversation with someone who wasn’t going to be checking up and looking for a detailed answer. I have never been in a conversation with someone who answered anything like “New York” when asked where they met their spouse. They answer " in high school", “in college”, “at work”, “on vacation” “at a bar” or something like that. First car- same thing. It doesn’t matter if it was in your name or if you paid for it, it’s whichever one you think of as your first car. ( My answer to the first car question is neither the the first one I drove ( the driving school owned it ) nor the first one I owned ( I only had it about a month). It’s the second one I owned- and it’s brown even though it had one green door. If you were talking to a grade-school classmate , and the subject of your second grade teacher came up, how would you answer? It doesn’t matter if it’s McGillicuddy , Miss McGillicuddy , Alice McGillicuddy or Miss Alice McGillicuddy - whichever way you think of her is the way you think of her and that’s how you should answer the security question because that’s what you will remember.

Although I must say, I’ve been to a number of sites that let me choose three security questions from a list of about twenty, which solves the part of the problem regarding “what color was your first car” when you have never had one.

Which is why I have a plug-in for my browser called “Don’t fuck with paste”.

Most security experts are going to recommend writing them down in a secure password manager. Even if you’re going to use a notebook, that is still far more secure than reusing the same password on multiple sites.

This is what I wrote previously about security questions.

Not really. That’s just how I think. It May not be the way your mind works, but my mind never knows if I thought “Miss Hopplefesser” three years ago, or “Hopplefesser” or “Doris Hopplefesser.” I’ve taken a stab and that stab is wrong more often than it’s right. In fact just the other day I inputted “What’s your wedding anniversary?” and not four days later I tried to answer what I’d written (8/11/2014) and didn’t remember that I’d used hyphens between the numbers, not virgules. You get a certain number of guesses and then the website shuts down. As to your point about meeting my spouse, the question, in that case, was “What city did you meet your spouse in?” You don’t think I’m going to respond with a city name three or four years later? I am.

Well obviously, as any Fule kno, the name you give your first pet should be at least 8 characters long, and should include numbers and upper and lower case letters.

Not only is it weak – the whole point of a ‘security question’ is that the provider can see the answers! After moving to a password system where the provider can ‘never see your password’, and the network admin can never impersonate you, they’ve subverted the whole system.

And … Windows 10 has natively implemented this half-assed system. When you add a local account, it requires answers to a set selected from predetermined ‘security questions’ God only knows why, or WTF they are thinking.

I tried to get back into a digital game account well over a decade after I last used it (and yes, the game is still active, and has plenty of players), and I was able to write my own security question. I completely forgot what the answer to it was because it wasn’t asking something that I’d know from life experience years from now, but something very specific to the time period that I wrote the question. I contacted customer service and the first thing they asked was the same question despite my email to customer service saying that I’d forgotten the answer. I tried to say a random memorable thing I did in the game that would have happened to practically no one else, though I doubt they kept the logs to prove it so it was kind of a stretch to try to use that as a wedge. I just forgot about trying to get the account back because I simply didn’t care enough and has moved on to something else by the time I got a response from customer service.

Maybe your brain works that way. Mine will not reliably settle on the same version from one time to another. I mentioned above, i got locked out of a system yesterday despite “knowing” the answers to my questions because i didn’t remember whether I’d said McGillicuddy or Miss McGillicuddy or Ms McGillicuddy. Times three questions.

And then we have United Airlines, who not only dictates the “security” questions, but makes you pick from a set list of answers! Morons.

When I get to generate my own questions, I have no difficulty whatsoever in coming up with questions that NOBODY else could answer but where I would unfailingly reply the same way each time.

  1. You invented a character for a book you were thinking of writing back in junior high. HIs first name was Jhatl. What was his last name?

  2. Where did it turn out that mama put the dish soap that time?

  3. Smudge’s favorite food?

  4. The very first time you sat down at a Mac, you had to title a document. You called it “Introduction to ______”. What goes in the blank?

  5. What did Daddy lose in the campfire while showing off that time when we all laughed at him?

  6. What word was Mama about to pin on the 1st grade bulletin board, misspelled? Spell it the way she spelled it that time.

  7. Me and Lynn used to sing our own invented jingle when the road was bumpy. Write the second line of the jingle starting with “There”.

Og no. We have nothing whatsoever to do with that bunch of fakes. My sainted mother is a direct descendant of the Mayan Melancholy hyphen Names.

I mentioned my technique but didn’t explain it.
I have a “root word”. It’s one of those that would look like gibberish to others but easy for me to remember.
For example oaddhcwimh. This is the first letter each word in "on a dark desert highway cool wind in my hair (if anybody doesn’t know, those are the first lines of Hotel California)
Then add a code for the website. Google Mail might be GoaddhMcwimh. The G and M are Google Mail.
The answer to my first crush would be: GoaddhMcwimhcrush
My favorite teacher for Straightdope would be: SoaddhDcwimhteacher

Yeah, I hate those ‘opinion’ questions and always choose the factual, non-changing questions instead, like “what Elementary school did you attend?” or the classic “What is your mother’s maiden name”, despite the fact that they are potentially less secure because that info is more easlily obtainable.

I just signed up on UA a few months ago, and was flabbergasted by that “innovation” in the shitty-security-questions approach.

The solution to all these woes is to use a password safe and to just treat the additional security questions as additional passwords.

I choose questions that aren’t even applicable to me, then I put the question and the answer into my password safe.

Of course, even this approach fails to keep things secure. One time I had to reset something, and I had lost my password safe entry for that site. I eventually called in to talk to someone and said, no, I don’t know the password, and no, I don’t know the security question answers. The person on the phone proceeded to give me clues until I could guess my “brother’s name” (I don’t have a brother). So all the security is useless because someone can call in and socially engineer the answer.

I don’t remember the website, but if I encounter it again I’ll name it in this thread, but there was one that let me use my own question. I borrowed a Rory Gallagher lyric and used the question: “What rides on Eastern time?” I’ll know the answer till the day I die!

I deal with these things in an old fashioned Luddite way.

I either choose security questions (or make up my own if the site lets me), and use real answers that I can remember, but ones that I’m fairly confident nobody but me might know. (Like who was your favorite teacher?) Or sometimes I’ll choose an arbitrary question and give an arbitrary answer.

BUT: Here’s my Luddite solution: I keep a file of my user-names, passwords, questions, and answers the good old-fashioned way: Written on paper, kept in a manila folder in my apartment. The only way that can be compromised is if someone physically breaks into my apartment, and furthermore finds that folder. True, it could happen, but I takes my chances with that. (And I probably shouldn’t even have written this post here, but I takes my chances.)

And yes, as noted above, I’ve seen that some web sites no longer use security questions – including sites that formerly did, and no longer allow me to use them to log in or reset passwords if I need to. That can make things complicated.

I’ve seen a handful of sites that let me make up my own questions. It’s actually mildly annoying to try to have to think of something on the fly, but I agree it’s a lot more secure than the canned mother’s maiden name etc. stuff which is not remotely secure.

I just spent several months doing phone support for a system where the callers HAD to provide their mother’s maiden name, along with spelling. I tended to not enforce the spelling bit too much, simply because there were so many variations (including issues where the bloody field was too short). Plus, I’m a human and can use my judgement (kudos to one call I placed, elsewhere, where they asked for a PIN and I said something like “uh… it might be 1234? or 1133? or 4466?” until I got the right one).

So if your mother’s name was Jane Smith and she married mr. Jones, we would get “Jane”. “Smith”. “JaneSmith”, 'Jane Smith", I’m human. But the caller sometimes had to log onto a webpage - and they had a lot of trouble remembering which variant they used.

To add to the fun, if their account had been compromised, one of the things we had to do was manually change the MMN (after asking other verifying questions). So they’d have to either change to another variant (was Jane, is now JaneSmith), or sometimes something completely different… then be able to remember what the hell they had put.

I had one fellow who had me put his own last name, reversed - e.g. SENOJ.

I’ve heard the recommendation to put fake answers in but yeah, how do you remember what fake answer? “Lessee… Bank of America thinks Mom was a Throatwarbler-Mangrove and Chase thinks Mom was Luxury-Yacht”.

We use a password vault, where we can note such fake answers as needed; that’s one option.

I will make up fake answers to these questions, then make a note of the answers in my password file. As I don’t have a smart phone, all my online activity is at my home computer, where I only have to remember the one password to get into my password file.

Fake answers are good in that they can’t be guessed by someone familiar with your life (or hoovering up online quiz answers). Of course, if you need to access sites on the go this won’t work as well.

A lot of sites I connect to, especially financial related such as getting to my bank account or changing billing information for utilities and such, now use two-factor authentication, which works OK (except when I am doing stuff late at night and don’t want the phone to wake my wife). The one exception was a business I used to order from online, who implemented two-factor authentication requiring you to enter the code they had texted to your smartphone. Did I mention I don’t have a smartphone? All the other places so far have allowed an option of voice or text and will send it to my landline.

It’s also a problem for people who travel. You’re in China and your bank asks you to verify that some transaction in China is a valid transaction? And to do that you have verify your identity using your phone, on the number that doesn’t work in China.


You don’t need a smartphone to receive text messages. Pretty much any cell phone made in the past 20 years will have that capability. Even if you don’t have a text plan you should be able to receive them, unless you explicitly asked your cell provider to block texts, although they might charge you something like 20 cents per text.