That's why for security questions I use randomly generated, long strings. My security questions have stronger passwords than my passwords!  Security questions aren't. They should be called insecurity questions. They're the stupidest idea ever. I would never program a web site with them.