> These are supposed to be the very last line of defense for security, including if lose your password manager.
Security questions aren't for security, they're against it. They're a tradeoff between security and usability, in the direction of usability. Assuming you answer security questions truthfully, they weaken the security of your account. It's like having multi-factor authentication, but instead of requiring all the factors, they just require any one of them. That's not necessarily a bad thing, as long as it doesn't weaken the security so much that it's easy to break.
> Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere.
And here's the problem. Many/most sites that use security questions have a dropdown list of acceptable questions and don't let you enter your own. Often the only thing you can do to avoid making your account easily compromised is to make up answers to some of the questions.
The downside, is, of course, the usual downside with security tradeoffs that favor the security side of the equation: you may be completely unable to access your account again if you screw this up. And that's also not necessarily a bad thing, if you believe compromise to be a really bad outcome. I think it might be ok to do this for, say, a bank or brokerage account. If you manage to fully and truly lock yourself out online, likely you'll still be able to prove who you are and gain access through some means like visiting a physical branch and showing them your ID. A hassle, to be sure, but if it means that much to you, it might be worth it.
In the end, social engineering is still the biggest problem: other posters in this thread have claimed that they've gotten past the security questions by saying things like "oh, I just mashed the keyboard, that's why my answer is gibberish", or something like that. So there's no way to win, unless perhaps you invent plausible (but incorrect) answers to the questions. "Mother's maiden name? Well, it's actually Jones but I'm going to put in Smith." I imagine a talented social engineer might still be able to get past that, but at some point you just have to acknowledge you've done the best you can.
Security questions aren't for security, they're against it. They're a tradeoff between security and usability, in the direction of usability. Assuming you answer security questions truthfully, they weaken the security of your account. It's like having multi-factor authentication, but instead of requiring all the factors, they just require any one of them. That's not necessarily a bad thing, as long as it doesn't weaken the security so much that it's easy to break.
> Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere.
And here's the problem. Many/most sites that use security questions have a dropdown list of acceptable questions and don't let you enter your own. Often the only thing you can do to avoid making your account easily compromised is to make up answers to some of the questions.
The downside, is, of course, the usual downside with security tradeoffs that favor the security side of the equation: you may be completely unable to access your account again if you screw this up. And that's also not necessarily a bad thing, if you believe compromise to be a really bad outcome. I think it might be ok to do this for, say, a bank or brokerage account. If you manage to fully and truly lock yourself out online, likely you'll still be able to prove who you are and gain access through some means like visiting a physical branch and showing them your ID. A hassle, to be sure, but if it means that much to you, it might be worth it.
In the end, social engineering is still the biggest problem: other posters in this thread have claimed that they've gotten past the security questions by saying things like "oh, I just mashed the keyboard, that's why my answer is gibberish", or something like that. So there's no way to win, unless perhaps you invent plausible (but incorrect) answers to the questions. "Mother's maiden name? Well, it's actually Jones but I'm going to put in Smith." I imagine a talented social engineer might still be able to get past that, but at some point you just have to acknowledge you've done the best you can.