In the concepts section, I referenced two attacks on Yahoo over the last few years. When attackers accessed the user data for 1 billion Yahoo accounts, they were able to obtain: names, email addresses, telephone numbers, dates of birth, hashed passwords, and quote encrypted or unencrypted security questions and answers.

That’s a lot of personal information on a lot of people to take in one sweeping attack. With a breach like this, one of the first things to consider is: “Is the damage contained to this service?”. When a company loses factual data about who you are, it can aid someone trying to steal your identity. And factual information is problematic because unlike usernames or passwords, you can’t change that information if you feel threatened online because it is a part of you and your history.

Of all of the data points stolen, one of the most concerning to me is the security questions and answers. Security questions are something that give many people a false sense of safety while undermining their ability to protect themselves from identity theft.

It’s important to ask yourself: why are they asking me to give answers to security questions? The reason is simple: they are an old fashioned form of two factor authentication.

The best way to prevent identity theft concerns when using security questions is simple: don’t answer the questions honestly. No company is checking to find out if you correctly gave them your mother’s maiden name or city of birth. They don’t need to know which high school you attended or the road you lived on during elementary school. Security Questions and answers are just another layer of passwords. All that matters is that at some point in the future, during an attempt to authenticate your account, that you’re able to give the answer that matches what they have on record.

Since so many sites and services ask the same or similar questions, a breach on one site can allow someone to take control of other accounts in your life. The rolling effect I have mentioned previously where someone gains control to many accounts through a single breach is my biggest fear for anyone online. This Yahoo breach could absolutely have been used to get into someone’s bank account, social network, cloud storage, or other deeply personal services.

The only way to counter this kind of breach is to give different answers to every site that asks security questions. Since this is just another password, use the kinds of random password generation I covered previously, store the answer in a password manager, and move on without worrying about it. The key is to understand that nobody is checking on the answer, and you are free to give it any response you like.

I expect security questions to disappear as a form of security in the coming years, but until then it’s crucial that you understand why they exist, and how best to use them when required while staying safe and protecting your identity.