A security alternative to giving online services your personally identifiable information

Published on 23 February 2023 by Andrew Owen (3 minutes)

You’re probably familiar with the social media memes that try to elicit password reminders from you to access your accounts. For example, your Steinbeck character name is the make of the first car you drove and the name of your elementary school. It shouldn’t need to be said, but don’t reply to those memes. And the reason these memes exist is because your bank demands that you provide this kind of personally identifiable information for password recovery, so you can access its online services.

If your bank gets hacked, you’re really unlucky. But many other sites ask for the same information. Those sites may not be as secure. And if one of them gets hacked, then cybercriminals could end up with the password reminders to all your accounts. Sure, they’ll go after the low-hanging fruit first (don’t use P@ssword1 as a password), but why take the risk.

The kind of information you’re normally asked to provide typically includes things like your mother’s maiden name, father’s middle name, the street you grew up on, or your first school, car or pet. Many of these are easy to discover, which means that even if the cybercriminals only get a partial list from one site, they still have a good chance of being able to get the rest. And then there’s the problem that if you choose the less easy to research stuff, it’s also less easy to remember. But I have a solution: obscure superheroes.

You can’t use Batman. It’s too obvious. But equally, you have to pick a character that’s sufficiently fleshed out to have details like parents, favorite color, school and so on. If they don’t have a birthday, you can use the first publication date. If it’s a really old character, you may need to add an arbitrary number to the date (make it 50, that’s easy to remember). The best part of this is that you don’t have to remember all the details. You can look them up on a comic fandom site. All you have to remember is which character you picked.

Because you’re not going to use Batman, let’s look at the biographical details we can get from Wikipedia:

• Astrological sign: Aries
• City of birth: Gotham
• Date of birth: March 30, 1989 (first publication date +50)
• Favorite movie: The Mask of Zorro (last one he saw with his parents)
• Favorite school teacher’s name: Alfred Pennyworth (his butler, homeschooled)
• Father’s middle name: Robert (if unavailable, use the creator’s first name)
• Favorite color: Black.
• First pet’s name: Ace (the bathound)
• First school: Wayne Manor (homeschooled).
• Make and model of first car: Lincoln Futura (1960s Batmobile)
• Mother’s maiden name: Kane (if unavailable, use the creator’s last name).

And if superheroes aren’t your thing, there are plenty of other characters in fiction with sufficient backstory to provide a set of answers. The key is to not choose the popular ones. So no James Kirk and no Sherlock Holmes. For added security, you can use more than one character. Ideally, you’d pick a unique character for each online service. But that’s a lot of characters to remember. So I suggest using a single character for the lower risk sites, and individual characters for sites that could give criminals access to your finances or your email.

At some point you may end up with more characters than you can remember, at which point you’re going to need a password manager with secure notes, but that’s another article.

Image: Detail from Saturnino “Pepe” Moreno Casares’s “Batman: Digital Justice”. Batman is copyright and a trademark of DC.