Why they're risky
The answers to security questions can often be easily guessed or searched from social media, public profiles and your circle of acquaintances. The school you attended or your pet's name may already be public.
Attackers gather this information (social engineering) and attempt a password reset. The more truthful the answer, the more dangerous it is.
How to answer safely
Don't use the real answer to the question as-is.
- Instead of the real answer, make up and use a random string (a fake answer)
- Use a different answer for each question
- Avoid questions that can be guessed from public information
- Store the answers you made up in your password manager as well
Replace with 2FA when possible
Two-factor authentication is far safer than security questions. If a service offers 2FA, use that first, and set up security questions only minimally when they're truly required.
Managing your answers
Because fake answers are hard to remember, you must record them. If you keep each answer safely in your password manager's notes or security-question field, you'll have no trouble during recovery.