Security questions can be used to reset your password. They are backup passwords. They should be treated as such: randomly generated and stored in a password manager. Different for each account. Any decent password manager will have a "notes" field or other way to store such data encrypted in the vault. Since they're almost certainly stored in plaintext on the backend, they should have at least 128 bits of entropy. 20 random printable US keyboard characters, 10 diceware words, etc.<p>Question: What colour was your first car?<p>Answer: SterilityExcitableFifthAbideEnrageGaffeHazilyRecoupSacrificeIllusive<p>Question: What was the first street you lived on?<p>Answer: G]6a)ERXnVd}`<(p'tY}<p>Etc.
> Almost any security question’s answer is guessable by doing research on the target person online.<p>That's why you never answer the question but use some "non sequitur" answer:<p>Question: what colour was your first car?<p>Answer: rumpelstiltskin