• In what city were you born?
• What is the name of your favorite pet?
• What is your mother's maiden name?
• What high school did you attend?
• What is the name of your first school?
• What was the make of your first car?
• What was your favorite food as a child?
• Where did you meet your spouse?

The problem with these security questions (and with our answers) is that they become a liability when the results are leaked online, such as through a data breach, or become public knowledge. Why? Because many (in fact, thousands) of sites potentially use identical security questions. The variation from site-to-site is low, and questions for each user frequently, and inevitably, overlap across their many accounts. This standardization of security questions creates a substantial, but unnecessary, risk.

1. As much as is possible, do not select the same security questions across multiple sites. Keep your selections unique when the site allows you to pick your own questions. This will help limit the fallout and compromise of other accounts if the security question/answer is ever leaked. This is especially important for public figures whose history may be a part of public record or biographies posted on websites. For example, we all know the city our favorite musician or actor was born in, right?

2. Do not answer security questions in plain English (or your native language). That is what is expected, but it’s a security misstep. Treat your answers like passwords and introduce complexity in your response and its characters. For example, let’s say I was born in Little Rock, Arkansas. The security question for, “what city where you born in” would require the response, “Little Rock”. Now, add some password complexity. The new entry could therefore be, “L!ttl3 r0ck”. This answer is more difficult to guess or crack through automated tools and provides a simple layer of obfuscation to protect your security question responses. And, if anyone ever asks, you can honestly state that of course your mother’s maiden name does have numbers and symbols in it. Doesn’t yours?

3. In many instances, the best course of action is to provide fictitious information to these questions to keep them unique. You could use a personal password manager to populate the answer fields with password-like responses. Then, store each question and response in your password manager. For example, for an ecommerce site, you could create the entry “ecommercesite.com/question_birthcity” as the account and then enter a random, recommended password as the security response. This provides the secure storage you need in case of a password problem, while keeping your answers to same security question completely random and unique across sites and applications.