Fun with Answers to Security Questions Using Diceware

Form with security questions. One security question is "First concert you attended?" and the answer filled in is "Slacking Bullpen Matador".

Security questions are questions about personal details (like, “What was your first car you drove?” and, “What was the first concert you attended?”) that are meant to help recover your account in case something happens like you forgot your password.

As Wired writes, security questions are insecure. Why? It boils down to two things:

  1. Answers to security questions are just another form of password: If you type something in that only you are supposed to know in order to access your account, then it functions as a password.
  2. Answers to security questions violate the basic rules of good passwords: Passwords should be hard to guess and not shared across different accounts, and answers to security questions are often easy to guess (with people sharing their lives on social media) and shared across accounts (you can’t have two first cars).

The simple solution to making these questions secure is to lie. Nobody’s actually checking your answers, so go for it. The Wired article recommends using a long, random string of characters and keeping it in a password manager. (Side note: You should be using a password manager for your actual passwords, too.)

But a random string of characters is kinda boring. Plus, some places ask for the answers over the phone, and trying to spell out “Y^i72b(lV$” is going to be awkward.

So, I decided to have some fun with my made-up answers using Diceware. Diceware passwords are a random string of words to use as a password (really a passphrase). Ideally, you should use real, casino-quality dice for good randomness, but I’m just using the built-in passphrase generator in KeePassXC. (Note: KeePassXC uses the “long” list from the Electronic Frontier Foundation by default, which has some advantages over the original Diceware list.)

Since these passphrases consist of real words, they can be read over the phone if needed, and they actually sound almost real. “Slacking Bullpen Matador” could totally have been the name of my friend’s experimental rock band.

The best results come from picking questions that can have idiosyncratic answers, like the name of a band, a pet, or a book. And you can rearrange the words to make the answer work better: “regular cavalier next” could become “Next Regular Cavalier.” That could work as the answer to a number of different security questions.

So have some fun with your answers to security questions. And be sure to check out my favorite book as of late, Unplanted Jiffy Provider.

Reply to this post via e-mail or on: Medium, Facebook, Twitter.
Philip Chung
Philip Chung
Software Developer