Security questions - track & autofill like a password

Feature name

  • Security questions tracking

Feature function

  • Generate, store, and autofill “security question” answers per site.
  • Generated answers should be both length and language configurable: e.g., N English words that are minimally M letters long.
  • Flag re-used “security question” answers across sites.

Related topics + references

No citations, but my understanding is that “security questions” are basically bad passwords: if actual answers are used, they can be researched; if false answers are generated, it’s the “unique password per site” problem all over again.

Isn’t security questions’ main purpose to authenticate yourself when you forget your password, for example? I have never seen a website where it would constantly ask you for it. Considering that you are using a password manager, you won’t forget your random generated passwords.

I guess I see your point here. You want to generate unique answers so that they can’t be guessed, right? Let me make a suggestion: using bitwarden password generator, I just generated 2 answers for you:

  • 2$V7x&8!ri!24z6$kqT9
  • reliably-overbill-brigade-oblivious-radiator

You can write notes to each item in your vault, just write them there. Since they will be saved, there is no need for you to remember them, therefor there is even no need to be a passphrase, 2$V7x&8!ri!24z6$kqT9 will do a perfect job…

Edit: just realized something and actually giggled a little:
What was the name of your first dog?
Answer: 2$V7x&8!ri!24z6$kqT9

1 Like

I’m more thinking from a risk assessment standpoint than a functionality standpoint. I’ve seen “security questions” used as a backdoor form of authentication for 1, (as you mention) when you’ve forgotten your password or 2, phone conversations, typically with banks via the phone. In this case, a string of words is much more useful than the example you mention in your edit.

I guess I see your point here. You want to generate unique answers so that they can’t be guessed, right?

No; I want unique answers so if they’re stolen from site #1, they cannot be used at other sites. If the answer to “What was the name of your first dog?” is “2$V7x&8!ri!24z6$kqT9” at 100+ sites, then I’ve got a problem.

And because I’m generating unique answers per site, then I need an easy way to store them, and to have them automatically filled out in forms if it’s required, and to also audit “hey, you haven’t filled out your ‘security question’ fields - do you need to update them?” and similar risks.

So what I want is functionality that makes it as easy as passwords to generate, store, fill, and audit “security question” answers as passwords. Nobody would take seriously a modern password manager where you had to (say) open an app and tap 3 levels in to copy your password instead of having a browser extension just fill it in for you; likewise, I am hoping that “security question” functionality can be pushed to a similar level of ease.

Yes, I understood you perfectly. This is what I meant by “unique”, but didn’t really specify. Sorry for the misunderstanding, my bad.

I agree with everything you say, but there is something else: Without doing any kind of research, I honestly thought that this form of authentication is dying. I mean it’s pretty obvious that it’s just bad. There are this many questions that can be asked, and people are often answering honestly, which is bad. If instead the answers are made up, they become like 2nd passwords and are often forgotten (also, people are already bad enough at making good passwords). I didn’t think someone would want a feature like that, considering all the alternatives:

  • e-mailing you somekind of link/code
  • sending a message on your pone with a code (or even calling)
  • other 2FA, including authenticator app, physical key, fingerprint, etc

With phone conversations, security question is indeed the most viable, but how often does that happen? On how many sites do you use this method? Why do you prefer it? I am just trying to make some logical conclusions and understand your point of view. You are welcome to correct me.

Well, now we’re in anecdata, so grab your favorite salt shaker. :slight_smile:

I find it’s fairly common as a password recovery method, and my bank uses it for phone authentication.

I agree that “security questions” should be phased out for the solutions you mention, but I am pessimistic that’ll happen in the next 10 years. There’s too much security theatre associated with it. That said, I’m not a security researcher, so I don’t have any data to back up this impression.

Bitwarden will generate 3+ random words in the Password Generator. You can use it to generate suitable answers to such ridiculous questions and store them in Bitwarden.

1 Like

Yes! I was planning on using that feature.
My hope is to have that more smoothly integrated into the UX, but I realize it’s hard to detect what’s a security question field.

1 Like

I have only come across these ridiculous “security” questions when using primitive forms of communication like telephones. The ridiculous questions and answers can live in the notes area of an entry.

I get that we all want to “solve” people problems by suggesting workarounds but that is not the real purpose of a feature request. I see this type of response all the friggin time in this forum and its not helpful it just shuts down the requester. The request is not outrageous, it has good utility, you may just not personally see it as very interesting (though would probably use it if it was there because adding multiple note entries after going to a separate part of the UI to generate responses would be f’ing dumb)

I also would like to be able to add an arbitrary number of security question fields to entries and generate custom responses. Maybe, since identifying which entry goes with a given prompt, instead of trying to auto fill answers there could be an easy to access list of questions (additional icon in the main UI for URIs that have then defined) that when clicked on copy the answer to the clipboard for manual pasting. These are sometimes needed because sites are not perfect and can get out of sync or have bugs. If they decide you are locked out (bug, your accident, or a brute force attempt) you have to have that crap to get a password reset.