There are tons of good reasons why so-called “security question” are terrible. As long ago as 2005, Bruce Schneier, for example, wrote about what a stupid idea they are. I’ve resisted setting them as much as I can, but sometimes the dumb site just won’t let you get by without setting them. Ironically, they say the questions make my account MORE secure. But if my password is “8ycAMKin34pNL253” and my high school mascot was a “hornet,” which is easier to guess? If a would-be impersonator wants to hijack my account and they don’t know my password, they can just stroll over to Facebook and try to figure it out from either my own profile, or one of my friends’ profiles. Figure out which of my friends went to high school with me, and bang, you’ve got it. Figure out that I went to high school in Virginia Beach (by reading my blog, for example) at a time when there were about 12 high schools, and you’ve only got 12 things to try. That’s stupid. That’s the weakest link to taking over my account, not my very secure password.
My solution? I use random passwords as the answers to my questions. The name of my first dog? Well, one site thinks it’s 6pnESltf9ygissZ and another site thinks it’s DnlOCacy732r3Ol8hb. Oh, and the best man at my wedding? He’s RitYHNwuhTkyF0c, but we just called him “Rit” for short. 🙂
I use a PasswordWallet program because it has both iPhone and Mac versions. It generates random passwords, stores them securely, types them into my browser for me, and makes it possible for me to use really strong passwords without ever remembering them. And since I always have either my phone and or my computer with me, I always have them. If I lost both, I have backups of all my passwords in various encrypted files, both on backup drives and other laptops. And if the absolute worst thing happens and all 10 copies of my password file are lost, well, it should be hard to recover.