In my opinion, the use of security questions to secure accounts weakens overall security in a non-trivial way. My advice is first, use a password manager, and second, generate random answers to security questions for every system and store those in the password manager along with your password. You should NEVER use honest or sensible answers to security questions.
The reason for this opinion is three-fold. First, using non-secret information to secure an account is faulty security on its face. Second, there is a rampant disregard for the security of your security questions and answers by those that store them. And Third, because you should never secure multiple accounts with the same set of information. Security professionals strongly suggest that you use unique passwords for every system, yet if all of those system passwords can be bypassed by the same security questions and answers then that is a glaring security hole.
At its core, securing accounts with usernames and passwords relies on one piece of information, the password, being kept secret. Passwords are encouraged to be random, long, and should never be shared with anyone. Add to that, multi-factor authentication that requires something physical like your phone or a token to gain access, and you have a good base when it comes to security. It’s not perfect, but it’s about as good as we can do today. When a system then allows you to bypass that protection by answering questions that are based on non-secret information, there is a serious breakdown in security. In the future hopefully we’ll have certificate based authentication and do away with passwords.
The idea behind security questions is that while some bad actor might guess or steal your password, they shouldn’t know what street you grew up on, or what high school you attended. That assumption is flawed in our current world of social networks, freely flowing information, and data breaches. It may have been hard for a bad guy from China or Australia to know what street you grew up on in 1995, but this is NOT TRUE in 2016 and beyond.
From a philosophical security perspective, the very idea of being able to access sensitive data by only knowing non-secret information about someone is just plain dumb. Image if you could walk into a bank and withdraw millions of dollars from a celebrity bank account simply because you know their dog’s name and where they went to high school? We wouldn’t stand for that for one second with our money and we shouldn’t stand for it in the digital world. With our financial lives tied to eBay, PayPal, facebook, amazon, and many other sites – a bad guy knowing your favorite teacher might be the only thing between them and your bank accounts or credit cards.
Beyond the philosophical point though, is a very real actual problem with security questions. Systems that collect the answers to these questions do not treat them with the care that is warranted for information that carries the power that security questions carry today. A given system may protect passwords and social security numbers properly (although sadly, this is not as universal as it should be). Few to no systems however, will protect the security question answers with any effort at all. So WHEN a data breach occurs, all of those security answers, that were once at least hidden behind social network searching and some public records digging, are released to the public for easy pickings – usually a Google search away.
The sensitive nature of security question answers is a two sided coin. On one hand, as I’ve stated above, these answers can be found out in public with enough searching. On the other hand, they can still be hard enough to find sometimes that they can provide a challenge for a would-be hacker. Regardless of how easy that information might be able to find however, the people that are storing this information should be protecting it like they protect passwords and social security numbers. With a large collection of security question answers, a bad actor could have the keys to many other systems without ever needing to even try a proper ‘hack’.
A very common situation is for two sites to end up protected by the same security questions and answers. One site might be a website about flowers, but the other might be PayPal or Amazon. The flower website might get compromised, and maybe they protect your password well, but they don’t protect your security question answers. That bad actor can use those answers to reset your Amazon or PayPal password and start spending your money. Re-using the same password on multiple sites comes with the same danger, but at least there is a chance that your passwords could be different and that a site might protect them well. What high school you graduated from will always be the same and most likely will be very easy for the hacker to acquire.
We as users of these systems have little to no influence on how they build the system, but we can take steps to mitigate the risks that these systems force on us by generating random answers to security questions for every system and storing those answers in your password manager. At least that way, WHEN a system is breached and those security answers are leaked, they mean nothing and aren’t the keys to the kingdom for the would be hacker.