These are supposed to be the very last line of defense for security, including if lose your password manager. As an exaggerated analogy, imagine that being unable to answer these questions meant your house, car, and life savings are taken from you. That is how important these answers are, except you're "only" losing one online account at a time.
Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere. The reason behind why security questions exist is a good one, but they don't offer enough security when used as intended (memorable, non-random data). The problem is there is currently no better alternative, short of requiring you to tie your legal identity to every account, and having to show up in person with photo ID to regain control of an account you've lost access to.
Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.
Where they stand at the security line is irrelevant, because their mere existence on a place is already a symptom of a deep level of incompetence and an almost sure prediction of a compromised system. Besides, security is usually chain-like (compromise one node and it's broken), not army-like (compromise one node and you'll have to fight the next).
Besides, most people do not have a favorite color, do not remember the name of their 3rd grade teacher, and have severe doubts about what counts as their "first" pet. Yes, they are intended into solving a real problem, but nothing about them survives any amount of questioning.
For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.
With a password manager such as Lastpass or 1Password you only need one very strong password you as human can remember. The passwords it manages don't need to be human-rememberable. They can have as high entropy as allowed.
> Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.
2FA of the strong password plus physical OTP (like YubiKey) with one backup key is more than suffice. Sure, its not 3 letter agency proof. They can easily break in your house and steal your backup key temporarily, whilst recording you typing in your password, or catching you on the go. But against most criminals (a much more common vector for the general public) this is going to work just fine.
Security questions aren't for security, they're against it. They're a tradeoff between security and usability, in the direction of usability. Assuming you answer security questions truthfully, they weaken the security of your account. It's like having multi-factor authentication, but instead of requiring all the factors, they just require any one of them. That's not necessarily a bad thing, as long as it doesn't weaken the security so much that it's easy to break.
> Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere.
And here's the problem. Many/most sites that use security questions have a dropdown list of acceptable questions and don't let you enter your own. Often the only thing you can do to avoid making your account easily compromised is to make up answers to some of the questions.
The downside, is, of course, the usual downside with security tradeoffs that favor the security side of the equation: you may be completely unable to access your account again if you screw this up. And that's also not necessarily a bad thing, if you believe compromise to be a really bad outcome. I think it might be ok to do this for, say, a bank or brokerage account. If you manage to fully and truly lock yourself out online, likely you'll still be able to prove who you are and gain access through some means like visiting a physical branch and showing them your ID. A hassle, to be sure, but if it means that much to you, it might be worth it.
In the end, social engineering is still the biggest problem: other posters in this thread have claimed that they've gotten past the security questions by saying things like "oh, I just mashed the keyboard, that's why my answer is gibberish", or something like that. So there's no way to win, unless perhaps you invent plausible (but incorrect) answers to the questions. "Mother's maiden name? Well, it's actually Jones but I'm going to put in Smith." I imagine a talented social engineer might still be able to get past that, but at some point you just have to acknowledge you've done the best you can.
And it's a shame to lose that feature, but they compromise your security so terribly that you're far better off not using them.
> it is possible to lose them - and that is unacceptable
Ten steps forward, two steps back. I find that acceptable.
