Photo by Vitaly Gariev on Unsplash

Picture this: You're trying to reset your password at 11 PM because you haven't logged in for three months. You click "Forgot Password," enter your email, and suddenly you're asked to verify your identity. The company needs to know your mother's maiden name. Your street address. The last four digits of your social security number. Maybe even what pet you owned in 2003.

Meanwhile, you've already provided your full legal name, email address, phone number, and payment information to this company. You've bought things from them. You've given them permission to send you marketing emails. Your browser literally remembers your password was recently used on this exact site.

Yet here you are, answering security questions like you're trying to access the nuclear launch codes.

The Security Theater Scam

Let's be honest: this isn't really about security. If it were, companies would implement the same verification process every single time you logged in. They don't. They only make you jump through hoops when you've forgotten your password—a moment when you're frustrated, tired, and most likely to abandon the entire process.

I tested this myself with seven major retailers. All seven of them asked me to verify my identity using security questions before resetting my password. You know what none of them asked for when I logged in successfully with the new password? Nothing. No additional verification. No proof that I was actually the account holder. I could have been anyone.

The actual security threats are minimal in most cases. If someone has access to your email account, they can reset your password anyway—they don't need your mother's maiden name. If they have your social security number AND email AND date of birth, well, you've already got bigger problems than accessing your retail account.

So what's really happening here? Companies are using security questions as a friction point. They're betting that some percentage of people—maybe 5%, maybe 15%—will get frustrated and just give up. They'll use their old password elsewhere. They'll create a new account. They'll never come back. From a customer service perspective, it's a low-cost filter.

The Questions That Nobody Can Answer

Here's where it gets truly absurd: the questions themselves are often impossible to answer consistently.

"What was the street name of the road you grew up on?" Well, I moved four times as a kid. Which one did I enter when I set up this account in 2019? Who knows. "What is your favorite movie?" I have twenty favorite movies depending on the mood. "What was the name of your first pet?" I had two goldfish. Did I put "Goldie" or "Nemo" or both?

I've personally been locked out of accounts I've owned for ten years because I couldn't remember which version of a security question answer I'd used. The company's system said "no match." Support said "sorry, we can't help without the correct answer." So I created a new account with a new email address instead.

A Reddit thread I found had 847 comments from people experiencing the same thing. One user described being locked out of their own PayPal account for two weeks while trying to answer security questions about information they weren't even sure they'd accurately entered years ago. Another person mentioned being asked to identify their favorite restaurant from a list of restaurants they'd never heard of—the security questions had obviously been filled in by someone else, or auto-populated with incorrect data.

Why Banks Get It Right (Sometimes)

Banks have figured something out that retail companies still haven't: security questions are an archaic solution to a solved problem. Most major financial institutions now use multi-factor authentication instead. You reset your password, and they send a code to your phone or email. It's quick, it's secure, and it actually proves you have access to the account.

Amazon does something similar—they text you a code. So do Spotify, Netflix, and most social media platforms. Do these companies experience more hacking than Best Buy? No. In fact, financial institutions with considerably more attractive targets to hackers have moved away from security questions entirely.

Yet consumer retail sites are still asking about your childhood pet like it's 2005.

The excuse I've heard from company representatives is always the same: "Many users don't have cell phones on file" or "We need a backup method if someone can't access their email." But that's not actually why they're using security questions. They're using them because the infrastructure is already in place, because implementing modern authentication would require investment, and because—let's be blunt—they don't prioritize user experience for this particular moment.

The Cost of Frustration

You might think, "Why does this matter? It's just a few security questions." But the friction adds up. I've abandoned password resets at three different companies this year because I couldn't answer the security questions correctly and didn't want to deal with customer service. Those companies lost the opportunity to potentially engage me with a promotion, an update, or even just to remind me that they exist.

This connects to something bigger that we've written about before: companies increasingly shifting friction and inconvenience onto customers, then acting shocked when customers get frustrated and go elsewhere.

What's maddening is that solving this problem is genuinely easy. Send a verification code via email or text. Ask for the last four digits of a payment method on file. Use biometric authentication if the user has it enabled. There are literally a dozen better solutions than asking me whether my favorite color is blue or red—and then telling me I answered incorrectly because I apparently entered it as "Royal Blue" back in 2018.

What You Can Actually Do

Until companies modernize their security practices, here's the reality: you're stuck. You can complain to customer service, and they'll sympathize while explaining they "can't bypass" security protocols. You can try to contact the company through social media, where they might help if you shame them publicly enough. Or you can just accept that some companies view password recovery as punishment for being human enough to forget your login credentials.

The best solution remains what it's always been: use a password manager. LastPass, 1Password, Bitwarden—any of them will store your passwords securely so you never have to reset them in the first place. Yes, it's frustrating that we need a third-party tool to work around bad company policies, but it works.

Until the day when retail companies invest in actually good security practices, that's your workaround. And honestly, it's probably more secure than most of the security questions they're asking you anyway.