New Year’s Resolutions with LastPass: #5 Generate Your Answers to “Security Questions”

While the password generator is key for diversifying and strengthening your account passwords, it’s also a great tool for providing answers to common “security questions” for your accounts.

Security answers are often included as a second form of login verification or as part of an account recovery process, most frequently with online financial institutions and email accounts. Although many sites have made an effort in recent years to increase the obscurity of the security questions (at least, we hope they’re generally better than this), the fact remains that the answers to common security questions are more accessible than ever before. Even if you’re not a high-profile target, by generating answers with the LastPass password generator you’ll help reduce the risk that someone may use security questions to compromise your accounts.

When registering for new sites that require an answer to a security question, it’s simple to quickly generate an “answer” and add it to the new site entry stored in LastPass.

Let’s say you’re signing up for a new Gmail account. After going through the set-up process, we go into the account settings to create a security question & answer for account recovery purposes.

After selecting a question from the drop-down options, we go to the LastPass Icon, choose the Tools menu, and open the “Generate Secure Password” feature:
When the dialog opens, you can check “Show Advanced Options” to customize your generated password:

Click “generate” to create a new password with your customized options, then “copy” to copy the password to your clipboard. Go back to the security answer field, and paste the generated password. After confirming that your new answer is accepted by the site, you can go to your LastPass Icon, click on the site name listed at the bottom of the menu, and open the “edit” dialog. Paste the generated password in the Notes, also noting which security question you chose.

If you know you’re using personal information for security answers, set aside some time to login to those accounts, generate a new “answer” with LastPass, and store the update in your site entry. Accounts for online banking, email, social media, and credit cards are all good places to start.

Generating answers with LastPass doesn’t directly affect your Security Check score, but it will improve your overall online security.

The LastPass Team


  • Mark Modesti says:

    Is there a “fly-over” instruction manual for LastPass? I’d just like the 1-2-3 version. A here’s how it works and here’s what you have to do to make it work approach. Thanks.

  • Paul says:

    Sorry for a late comment on an old post but…

    The problem I have with totally random security question answers is that my bank, credit card company, etc. are asking me to give those answers over the phone when I call them. I’m not so interested in having to spell “q5Q1h&oMqO9kk$8t” for them when they ask me what my mother’s maiden name is.

    However choosing memorable/pronounceable, but WRONG, answers does sound like a good security measure.

    • Amber says:

      We do offer a “pronounceable” option in the advanced settings of the password generator tool, if you check it the results will be much more usable in the scenario you mention. Great comment!

  • Al says:

    Instead of a random generated answer, what about generating a known wrong answer and then recording that in secure notes. For example, if my mothers name is Rachel, I use Molly instead. That is easy to tell the banls security person over the phone, but nothing anyone could attach to me (ezcept LastPass!!). Of course, I would use a different name each time.

    Also, the question was brought up about why I would ever need this if LP has the site password stored. I thought of another scenario why you might need this. What about of a bank suspects passwords were stolen. They might clear all passwords and require persons reset their passwords by reanswering the security questions? I suppose that could be another reason.

    LP: How about a random word generator for cases such as this instead of a random hash? A “security word generator” per-se? (With warnings of course not to use this for site passwords!!!). Then that random word is stored for potential use later when required.

  • Anonymous says:

    OK, dumb questions coming up…

    So, just to clarify… if a site asks me for my “Mother’s Maiden Name” this is just to push me into choosing something I’ll obviously remember. If I set it to “MinnieMouse”, “AttillaTheHen” or “jkjdhfhj9897” there’s no actual check by anyone/anything on whether they actually are my mother?

    I would guess most people’s innate reluctance to deliberately put in something incorrect would mean the overwhelming percentage do use the actual name.

    I could see potential problems if this type of security answer is ever asked by a real person as part of a telephone query I initiate (especially if the call-centre has been outsourced offshore hmmm) – any ideas on how using a gobbledegook name might go down then?
    –thanks Ron

  • S Smith says:

    I travel quite a bit for work. Recently I was on a trip and logged into a site (Google maybe?). I got a message back about being somewhere I’m usually not, and asked me for further info.
    So: I do need my security answer in addition to my password when the site is trying to be smarter(?) than me. ;)

  • Amber: Yes, I get that. However, what is the purpose of storing the security answer? If you have LastPass, you will never need it. If you don’t have LastPass, you won’t have access to it. So I just do some random keyboard mashing in those cases, which is faster than having LastPass generate something.

    • Securendo says:

      Here in Belgium, mostly every bank mandates the use of hardware tokens to authenticate to their sites, and also to sign most important transactions. It’s a pain in the beginning, but one gets used to it.
      So there, no need any more for the security questions.

      Still, when calling their call centers, the only way to authenticate still seems the old security questions way. Having the customer read out the result of the token doesn’t solve the problem, as the call center cannot validate it. This may be a reason…

    • Jack says:

      Michiel, keyboard mashing may be physically gratifying, but it’s an insecure way to generate a random sequence. In fact, when asked to quickly press random keystrokes generate a surprisingly repeating sequence, usually something with a lot of “asdf;lkj” characters in it. And if you do this today, you certainly won’t remember the similarity to the sequence you generated for another site last month. Your method will work, if you record the sequence in case you need it, but it won’t be as secure as using the LastPass random generator.

    • I can do some pretty random keyboard mashing. Or yes, let Lastpass generate the sequence. Fine. But that’s beside the point here.

      The point is your sentence: “if you record the sequence in case you need it”.

      Try and follow this line of reasoning: Why would you ever need to use your security answer? When you lose the site’s primary password. How could you lose the site’s primary password? If you lose access to your Lastpass account. If you have no access to your Lastpass account, you’ll also not have access to the random security answer you stored there.

      In conclusion, if you ever need your stored security answer, you will not have access to it. Ergo, storing your security answer is useless.

      Where is the flaw in my logic?

    • Anonymous says:

      Many sites require you to answer one of your security questions if they detect you are logging in from a new device or browser. Therefore, you would need the security answer in addition to your password.

    • Really? I’ve never encountered this. But OK, that does seem like a fairly good reason. :-)

      If any website ever asks me for the security answer, I’m in trouble.

    • Anonymous says:

      Bank of America does this.

      It’s perhaps ironic that in setting up all my passwords, Banks generally were the ones imposing length limits which limit how secure their passwords are.