How do you keep track of phony answers to security questions if they are different for each site? If it is the same phony answer for every site, it is not any safer to use real answers to the security questions.
Yup. You pretty much have to do this. I love signing into my bank's bill payment system. "You appear to know your password and possess your second factor. But what's your favorite book? <all lowercase favorite book> WRONG YOUR FAVORITE BOOK IS ACTUALLY <starts with an uppercase book> NOW YOUR ACCOUNT IS LOCKED."
Even if you're using real answers, you will be locked out of your account if you don't treat them like passwords. Eventually.
Worse yet, real answers are just weaker passwords. Mother's maiden name? Childhood friend? Elementary / high school? For a targeted attack, against most people, this is very insecure in the all information online age. Nobody needs to know your 20 character password if they have your social media page.
I generate the password and stored them in my password manager under the notes. 1Password added functionality seemingly recently to add security questions and generate a random word string that I use these days.
Note that you should not generate a random password like D27fX$0f7RyD for your security questions. These are designed to give to a human operator on the other end of a phone. If an attacker calls up the account recovery line, gets asked for a security question, and just says "heh, I think it was a string of random characters", there's a decent chance the human operator will let them into the account. As you say, use an actual word string (passphrase) generator, which is a bit less susceptible to this attack.
Yep, if you can choose the question, choose something like "What was your first pet's name?" and then make up something silly like "Mister Poopy Eyes" (a conceivable child-given pet name).
My work provides me with a 1Password subscription (for both work personal use) that I take advantage of that is pretty good. I think they only require you to reauthenticate with your master password once every two weeks or something. I use a PIN, biometrics, or my Apple Watch to unlock it when it timeouts in between that two week period, and I've had no problems syncing between several of my devices.
Pick your three favorite movie characters for which there is a lot of information about them (name, town where they grew up, age, dog with a name, etc.). Rotate through these three. Append the name of the service. Dog's name? buddylastpass
There will be no reuse, because for Facebook it would be buddyfacebook or dugfacebook, or something else… but you will always be able to guess it in three tries. A computer system doing some kind of pentest isn't going to parse out the "facebook" or "lastpass". A human might, but that's why you rotate through three names. At the point where you have a human targeting your account and actually thinking about your inputs you are probably !@#$ed anyway.
I have a small orange password book… oddly. If that gets stolen I think I’d be in big trouble. However it doesn’t have my email address in it. Answers to those inquisitions of a password reset nature are within.
I used to do something like this. I avoid it now, and use a pass phrase of a few words as answers to these questions, stored as a password.
It was clear to me after I had to read such a security question answer over the phone to unlock an account the CSR was perfectly happy with "gibberish over the phone == gibberish in front of me", meaning my attempt to secure things made it less secure in the end.
