Questions: Account Creation and Security

Password reuse is the critical vulnerability here. When attackers obtain a breached password list, they immediately run it against other major services (email, banking, shopping) in automated attacks called credential stuffing. The complexity of the original password is irrelevant — they already have it. Unique passwords per site prevent one breach from cascading. A password manager solves this by generating and storing a different random password for every site.

Email is the 'master key' of your digital life because most account recovery flows send reset links to your email address. If an attacker gains access to your email, they can click 'Forgot password' on every other service you use — banking, social media, shopping — and take over those accounts as well. This is why email should be the first account protected with 2FA and a strong unique password.

Answer: True

Length is the dominant factor in password strength against automated attacks. Password cracking tools try billions of combinations per second, and the number of possible combinations grows exponentially with length. A 16-character password — even if made of recognizable words — has a vastly larger search space than an 8-character password. The symbol-and-number 8-character password feels 'strong' but is relatively short; the longer passphrase resists brute force far better.

Answer: False

Security questions are often the weakest link in account security. The 'secret' answers — mother's maiden name, first car, childhood street — are frequently discoverable through social media profiles, public records, or social engineering. The professional approach is to treat security question answers like passwords: enter a random nonsense string for each answer (and store it in a password manager). This ensures that even if someone knows your real personal history, they cannot use it to reset your account.

This flips the common intuition: people assume 'personal' information is private, but in practice it is often the most publicly accessible kind. Security questions were designed for an era before social media; today they are a weak link that adversaries specifically target. Treating them like passwords — opaque, random, stored securely — closes this vulnerability without sacrificing account recovery capability.