Is it safe to use my mother's maiden name or birthplace as security question answers?
Traditional security questions use information that is often publicly available, guessable from your social media, or shared with other family members. Where possible, use random answers stored in a password manager instead.
Last reviewed: 10 June 2026
Explanation
Security questions were designed to provide a fallback identity verification method, but most of the commonly used question types — mother's maiden name, childhood street, first car, first school — have a fundamental weakness: the answers may be discoverable.
Public records, genealogy websites, social media posts, and even obituaries often contain exactly this information. A determined fraudster can research your mother's maiden name, where you grew up, and your first car model relatively easily. Combined with other personal data from a breach, this can be sufficient to pass security challenges on bank accounts, utility accounts, and other sensitive services.
The practical solution used by security professionals is to treat security questions as additional passwords: use random, meaningless answers that have no relationship to the actual question, store them in a password manager, and use a different random answer for each service. If asked 'what was your first pet?' you might answer 'purple-table-seven' — completely unguessable and irrelevant to anything in your life.
This approach eliminates the vulnerability while maintaining the recovery function of security questions. It does require the password manager habit, but this is already recommended for password management.
Common red flags
- A service asks security questions whose answers could be found on your social media profiles
- A caller attempts to 'verify your identity' by asking these questions rather than authenticated through the app
- A data breach notification includes that security question answers were exposed
- Someone contacts you referencing personal details that match your security answers
What to do now
- Change security question answers on sensitive accounts to random strings stored in your password manager
- Review what personal information is publicly visible on your social media profiles
- Enable two-factor authentication to reduce reliance on security questions entirely
- Never answer security questions to an inbound caller regardless of who they claim to be
Frequently asked questions
Is two-factor authentication a better alternative to security questions?
Yes. Two-factor authentication using an authenticator app is significantly more secure than security questions for account recovery. Where possible, set up 2FA and use it as the primary second factor rather than security questions.
What if a service requires me to use real answers to security questions?
Many services do require these questions. Use answers that are real but not publicly discoverable — a nickname known only to close family, for example — rather than information easily found online.