Not saying you should share your personal info on these charts, but you should never give real answers to security questions anyways. They are going to be easy to guess by definition, on top of revealing personal information to the vendor and any attackers.
If you use a password generator (and thus you never reuse or forget passwords), the easiest thing to do is to just set it to the password (though they may be stored in plaintext), or a different password you keep on the notes in your password manager.
It shows how careless the industry is that these security questions persist. Sarah Palin’s Yahoo! account was handed by someone guessing easily accessible security questions. That was 17 years ago.
When backward systems force you to answer these questions, I agree it’s better to generate a random string just for this question and provider. Plus it’s a fun time on the odd occasion these extra questions are required in a phone call.
“To complete security, what was your first pet’s name?”
There’s certain identify verifications checks online that require you give the real answer. Things like pulling your own credit report. They already know places you’ve lived in or models of vehicles you’ve insured and ask you this to confirm your identity. So not just security questions where you can define the correct answer.
DO NOT use your password for the answer to security questions! Yes, your answers should be stored securely, but there's a good chance they aren't. Use a different generated password, or bogus answers if you need to
Do not set it to the password. They might not be held as securely as the password. Use the additional fields/notes of your password generator and make them other generated random passwords.
While there is a concern about the plaintext answer leaking, I wouldn't think too much of it, since if the credentials db got compromised, I would assume the attackers also got everything else of value. Leaking the password at that point is no different than any other random string.
If they store the salted hash of your password but store the answers to security questions as plain text, then your advice is very bad. The db doesn't have to get pwned even, employees of the company will see it
While I agree with you, in my experience it's important for the security answers to be pronunceable. Otherwise some CS will just wave them away as being gibberish.
So I generate random answers but them modify it so that it's somewhat pronunceable.
Also obviously don't use the actual password since they are stored in plaintext
I'm also a fan of pronounceable passwords - I even have a script to generate them,[0] yes it decreases entropy a little. I don't store passwords on my phone, so I sometimes find myself retyping passwords, and I find these much easier to retype.
If you use a password generator (and thus you never reuse or forget passwords), the easiest thing to do is to just set it to the password (though they may be stored in plaintext), or a different password you keep on the notes in your password manager.