Here's what I do: random long strings as answers for each question, and save them with the credentials in KeePass. That way I keep track of each one, and they can't be used against me.
However, beware of tradeking as an online trading service. They have the lowest rates, but they have some ridiculous backward security requirements.
1) You have to enter passwords with an on-screen keyboard. Which means long complex computer generated passwords are a pain.
2) They present security questions in multiple choice form. That's right, your clever or unique answers are right there easily identified next to all the mundane answers.
Honestly I don't know how they haven't fired their whole security team. I know this kind of security theatre is costing them business, and I bet their back end reflects similarly poor decisions. I am surprised they don't have regular compromise reports.
Thanks for the heads up. When I looked years ago I had trouble finding a suitably priced company with an available API. This looks like a serious contender.
There was a discussion about it on HN few weeks ago and someone rightly pointed out this is prone to social hacking by the attacker saying "well yeah I put some random garbage string, don't remember exactly". Remember, human part is the weakest point here.
Yeah, I thought I was clever doing that until the day came to reset my login with my bank. They didn't ask a single one of those questions, and instead asked questions that anyone with my credit report could have answered. </facepalm>
That reminds me. Someone I know once received a notice from the OPM (Office of Personnel Management, for those outside the US, who deal with government hires and the likes) related to the massive data breach over the last couple years, and they offered ID theft protection through a 3rd party for free (oh boy!). The questions were outright absurd--they asked a variety of minutia (largely credit-related) going back 30+ years that no one would likely be able to remember.
Except that I'd imagine if the thieves in question had access to a person's history and credit report, they would have been able to answer these same questions with greater accuracy than the person whose data was stolen.
For all the effort some companies place on security, it seems wasted when they rely on information that is publicly available--or in this case, part of a corpus of data that may or may not have been stolen.
I put a 1KB base64 string into my PayPal 'security' questions. Problem now is that it won't accept that string again when I want to change my password. I assume the text was truncated at some point but is no longer now …
If enough people start doing that, sites will just add a third layer of secret questions to let you reset the other secret questions you forgot the answers too, and on and on... It will be secret questions to unlock secret questions all the way down.
An important point for this is that the answers seem to be stored in plaintext (by companies) so you also shouldn't use the same one in multiple places. Simply substituting easily researched information for less easily researched information only solves half the problem.
That works out pretty well with a "just tell me when you've heard enough" j q r p z v ! ? / b ... They usually say enough about 8-10 chars in and it really isn't that difficult to read off 8-10 chars.
However, beware of tradeking as an online trading service. They have the lowest rates, but they have some ridiculous backward security requirements.
1) You have to enter passwords with an on-screen keyboard. Which means long complex computer generated passwords are a pain.
2) They present security questions in multiple choice form. That's right, your clever or unique answers are right there easily identified next to all the mundane answers.
Honestly I don't know how they haven't fired their whole security team. I know this kind of security theatre is costing them business, and I bet their back end reflects similarly poor decisions. I am surprised they don't have regular compromise reports.