Late addition, but IMHO still relevant: how to use a password manager like BitWarden to manage security questions.
Start with basics: Security questions should be treated like passwords.
On many sites security questions are really a single factor of authentication that can get you into an account. Yes, many accounts just have a single security question (including some US government accounts). Sometimes they have multiple security questions, but only ask you one, and answering only one is sufficient to reset your password. And even if they ask you more than one, if all of your security questions are kept together they can be stolen together.
If a site emails or text you a link or a code when you have answered one or more security questions to reset your password, I suppose that is MFA. But some sites don’t bother to do that. And even if they do, in the presence of SIM-hijacking, and the somewhat less common but nevertheless real email hijacking, it’s not that great an MFA.
The risk with security questions is not just that somebody can find you on the Internet. Nor that you might’ve posted about your favorite pet. But if you use the same security questions on multiple sites…
Therefore, security questions should be different per site.
Now, how should a password manager handle security questions? well, password managers are a reasonably good way of handling per site different ideally random things.
Observation: while you could put security questions in the per-site notes for your password manager, many password managers like BitWarden and LastPass display your password obfuscated or blacked out, but display the per-site notes without blacking them out. so if the user has gone Into the password manager to look at a site entry (e.g. because of synchronization problems), then the user is at risk if somebody is looking over their shoulder. Where “somebody” might be a security camera. Do you want to trust the minimum-wage person monitoring the security cameras?
=> if you have a password manager like BitWarden that does not blackout the secure notes, then (a) you should put the security questions (and reset codes) in a separate note that you will need to look at less often. Or possibly (b) kluge: perhaps start the per-site entry note with some innocuous text, but then provide enough blank lines that you would need to scroll down explicitly.
both of these schemes for dealing with password managers like BitWarden that do not blackout the per site notes are suboptimal. (a) It can be a pain to coordinate the per site password entry and the extra per site secure notes – especially when companies and websites change names or have aliases, or SSO, or… it is better if a password manager lets you have a single entry for a site, but allows you to blackout not just the password but also a secure notes or reset codes. (b) scrolling… if multiple secure notes or reset codes are visible at the same time, then more than one thing can be stolen by that hypothetical looking over your shoulder.
=> DESIGN PRINCIPLE: in an ideal world, or at least in a world where there are slightly better password managers than BitWarden, a per-site entry would allow not just actual password to be blacked out in normal presentation, but it would have at least one and ideally multiple, dynamically varying in number, additional blackout-able notes fields. you could probably get away with a single multiline note field, and a variable number of single-line blackoutable fields.
OK, some minor things: IMHO it is best when you can just use conventional randomly produced passwords like hFDo#$9xbim7c*i5E#1E as your security question answers. However, I have encountered websites that constrain security question answers to be only alphabetical, at least N words with blanks, etc. So at the very least the password manager should allow for, say, 60 or 80 characters of any type in a security question answer. And ideally a password manager should provide the ability to generate such random multiword passwords. this loss is lower priority, I can roll dice.
Having a password manager like BitWarden provide multiple blackout fields in the per site entries in addition to password entries is a good start. But it sure would be nice if we could take advantage of matching on website URLs the same way password filling can be triggered.
Minor [supposedly]: IMHO a password manager should never automatically fill in login name and password when you first visit a webpage or sign in box. Not only is that a pain when you have multiple accounts at the same website (e.g. child accounts managed by parents as well as children), but also it’s a security hole — one that BitWarden has apparently been vulnerable to the past, and may still be vulnerable.
But it’s convenient and less of a security hole if the user has the option of explicitly saying “select one of the several possible passwords for accounts that match the site and fill it in”. and it would be nice to have that same ability for security questions.
Of course, if security questions are not asked all that often it’s not bad to have to go and manually (a) find the security note that contains the security questions, (b) remove blacking out so you can (c) copy the security question answers, and (d) paste them in to the answer field.
however, at least one of my retirement accounts asks or at least one of my security question answers every time I login.
Enough for now.
Note: although the above discussion is about security questions, it also applies to reset codes, which are similarly often single factors, or single factors in conjunction with email or text notifications that are vulnerable to hijacking.