You probably have come upon password security questions before. They are often used when a user forgets the password to an account to identify the user. The major problem with those security questions is the fact that they often only display general questions that the user can chose from during configuration. This includes the mother’s maiden name, the first school, the favorite sports team or the birthplace.
Asking those questions is problematic because of two things. First, they are not that secure if the attacker has access to information about you. Your mother for instance would surely know most of the answers to those questions, as would a close friend and even most work colleagues or class mates might. The second problem with these type of questions is that they can also be easily guessed. The number of possibilities is a lot smaller than the number of possible passwords for an account meaning an attacker could simply try the most popular answers to see if they would be a hit.
How can this be prevented?
Some security questions cannot be guessed, say an ID number. If those questions are offered it is wise to select them and not the mother’s maiden name. But what if the website or service only offers those basic security questions that can be easily guessed by anyone?
Write a fake answer!
What’s a fake answer to a security question? Instead of answering the question about your favorite sports team honestly you simply answer it with something else. The best choice would be to use a password like answer, say a ten char password making use of upper and lower case, numbers and if available special chars. This ensures that the answer cannot be guessed or brute forced.
The second option is the first seems to complicated would be to use an answer that is not related to the question. You could for instance use your ID number of the library as the answer to your mother’s maiden name. No one would guess that you did that and it is also a pretty safe option.
To conclude the post: If you have to answer security questions either use password like answers or unrelated answers to secure the account from being compromised by attackers.