Security questions - track & autofill like a password

Feature name

• Security questions tracking

Feature function

• Generate, store, and autofill “security question” answers per site.
• Generated answers should be both length and language configurable: e.g., N English words that are minimally M letters long.
• Flag re-used “security question” answers across sites.

Related topics + references

No citations, but my understanding is that “security questions” are basically bad passwords: if actual answers are used, they can be researched; if false answers are generated, it’s the “unique password per site” problem all over again.

Isn’t security questions’ main purpose to authenticate yourself when you forget your password, for example? I have never seen a website where it would constantly ask you for it. Considering that you are using a password manager, you won’t forget your random generated passwords.

I guess I see your point here. You want to generate unique answers so that they can’t be guessed, right? Let me make a suggestion: using bitwarden password generator, I just generated 2 answers for you:

• 2$V7x&8!ri!24z6$kqT9
• reliably-overbill-brigade-oblivious-radiator

You can write notes to each item in your vault, just write them there. Since they will be saved, there is no need for you to remember them, therefor there is even no need to be a passphrase, 2$V7x&8!ri!24z6$kqT9 will do a perfect job…

Edit: just realized something and actually giggled a little:
What was the name of your first dog?
Answer: 2$V7x&8!ri!24z6$kqT9

I’m more thinking from a risk assessment standpoint than a functionality standpoint. I’ve seen “security questions” used as a backdoor form of authentication for 1, (as you mention) when you’ve forgotten your password or 2, phone conversations, typically with banks via the phone. In this case, a string of words is much more useful than the example you mention in your edit.

I guess I see your point here. You want to generate unique answers so that they can’t be guessed, right?

No; I want unique answers so if they’re stolen from site #1, they cannot be used at other sites. If the answer to “What was the name of your first dog?” is “2$V7x&8!ri!24z6$kqT9” at 100+ sites, then I’ve got a problem.

And because I’m generating unique answers per site, then I need an easy way to store them, and to have them automatically filled out in forms if it’s required, and to also audit “hey, you haven’t filled out your ‘security question’ fields - do you need to update them?” and similar risks.

So what I want is functionality that makes it as easy as passwords to generate, store, fill, and audit “security question” answers as passwords. Nobody would take seriously a modern password manager where you had to (say) open an app and tap 3 levels in to copy your password instead of having a browser extension just fill it in for you; likewise, I am hoping that “security question” functionality can be pushed to a similar level of ease.

Yes, I understood you perfectly. This is what I meant by “unique”, but didn’t really specify. Sorry for the misunderstanding, my bad.

I agree with everything you say, but there is something else: Without doing any kind of research, I honestly thought that this form of authentication is dying. I mean it’s pretty obvious that it’s just bad. There are this many questions that can be asked, and people are often answering honestly, which is bad. If instead the answers are made up, they become like 2nd passwords and are often forgotten (also, people are already bad enough at making good passwords). I didn’t think someone would want a feature like that, considering all the alternatives:

• e-mailing you somekind of link/code
• sending a message on your pone with a code (or even calling)
• other 2FA, including authenticator app, physical key, fingerprint, etc

With phone conversations, security question is indeed the most viable, but how often does that happen? On how many sites do you use this method? Why do you prefer it? I am just trying to make some logical conclusions and understand your point of view. You are welcome to correct me.

Well, now we’re in anecdata, so grab your favorite salt shaker.

I find it’s fairly common as a password recovery method, and my bank uses it for phone authentication.

I agree that “security questions” should be phased out for the solutions you mention, but I am pessimistic that’ll happen in the next 10 years. There’s too much security theatre associated with it. That said, I’m not a security researcher, so I don’t have any data to back up this impression.

Bitwarden will generate 3+ random words in the Password Generator. You can use it to generate suitable answers to such ridiculous questions and store them in Bitwarden.

Yes! I was planning on using that feature.
My hope is to have that more smoothly integrated into the UX, but I realize it’s hard to detect what’s a security question field.

I have only come across these ridiculous “security” questions when using primitive forms of communication like telephones. The ridiculous questions and answers can live in the notes area of an entry.

I get that we all want to “solve” people problems by suggesting workarounds but that is not the real purpose of a feature request. I see this type of response all the friggin time in this forum and its not helpful it just shuts down the requester. The request is not outrageous, it has good utility, you may just not personally see it as very interesting (though would probably use it if it was there because adding multiple note entries after going to a separate part of the UI to generate responses would be f’ing dumb)

I also would like to be able to add an arbitrary number of security question fields to entries and generate custom responses. Maybe, since identifying which entry goes with a given prompt, instead of trying to auto fill answers there could be an easy to access list of questions (additional icon in the main UI for URIs that have then defined) that when clicked on copy the answer to the clipboard for manual pasting. These are sometimes needed because sites are not perfect and can get out of sync or have bugs. If they decide you are locked out (bug, your accident, or a brute force attempt) you have to have that crap to get a password reset.

Late addition, but IMHO still relevant: how to use a password manager like BitWarden to manage security questions.

Start with basics: Security questions should be treated like passwords.

On many sites security questions are really a single factor of authentication that can get you into an account. Yes, many accounts just have a single security question (including some US government accounts). Sometimes they have multiple security questions, but only ask you one, and answering only one is sufficient to reset your password. And even if they ask you more than one, if all of your security questions are kept together they can be stolen together.

If a site emails or text you a link or a code when you have answered one or more security questions to reset your password, I suppose that is MFA. But some sites don’t bother to do that. And even if they do, in the presence of SIM-hijacking, and the somewhat less common but nevertheless real email hijacking, it’s not that great an MFA.

The risk with security questions is not just that somebody can find you on the Internet. Nor that you might’ve posted about your favorite pet. But if you use the same security questions on multiple sites…

Therefore, security questions should be different per site.

Now, how should a password manager handle security questions? well, password managers are a reasonably good way of handling per site different ideally random things.

Observation: while you could put security questions in the per-site notes for your password manager, many password managers like BitWarden and LastPass display your password obfuscated or blacked out, but display the per-site notes without blacking them out. so if the user has gone Into the password manager to look at a site entry (e.g. because of synchronization problems), then the user is at risk if somebody is looking over their shoulder. Where “somebody” might be a security camera. Do you want to trust the minimum-wage person monitoring the security cameras?

=> if you have a password manager like BitWarden that does not blackout the secure notes, then (a) you should put the security questions (and reset codes) in a separate note that you will need to look at less often. Or possibly (b) kluge: perhaps start the per-site entry note with some innocuous text, but then provide enough blank lines that you would need to scroll down explicitly.

both of these schemes for dealing with password managers like BitWarden that do not blackout the per site notes are suboptimal. (a) It can be a pain to coordinate the per site password entry and the extra per site secure notes – especially when companies and websites change names or have aliases, or SSO, or… it is better if a password manager lets you have a single entry for a site, but allows you to blackout not just the password but also a secure notes or reset codes. (b) scrolling… if multiple secure notes or reset codes are visible at the same time, then more than one thing can be stolen by that hypothetical looking over your shoulder.

=> DESIGN PRINCIPLE: in an ideal world, or at least in a world where there are slightly better password managers than BitWarden, a per-site entry would allow not just actual password to be blacked out in normal presentation, but it would have at least one and ideally multiple, dynamically varying in number, additional blackout-able notes fields. you could probably get away with a single multiline note field, and a variable number of single-line blackoutable fields.

OK, some minor things: IMHO it is best when you can just use conventional randomly produced passwords like hFDo#$9xbim7c*i5E#1E as your security question answers. However, I have encountered websites that constrain security question answers to be only alphabetical, at least N words with blanks, etc. So at the very least the password manager should allow for, say, 60 or 80 characters of any type in a security question answer. And ideally a password manager should provide the ability to generate such random multiword passwords. this loss is lower priority, I can roll dice.

Having a password manager like BitWarden provide multiple blackout fields in the per site entries in addition to password entries is a good start. But it sure would be nice if we could take advantage of matching on website URLs the same way password filling can be triggered.

Minor [supposedly]: IMHO a password manager should never automatically fill in login name and password when you first visit a webpage or sign in box. Not only is that a pain when you have multiple accounts at the same website (e.g. child accounts managed by parents as well as children), but also it’s a security hole — one that BitWarden has apparently been vulnerable to the past, and may still be vulnerable.

But it’s convenient and less of a security hole if the user has the option of explicitly saying “select one of the several possible passwords for accounts that match the site and fill it in”. and it would be nice to have that same ability for security questions.

Of course, if security questions are not asked all that often it’s not bad to have to go and manually (a) find the security note that contains the security questions, (b) remove blacking out so you can (c) copy the security question answers, and (d) paste them in to the answer field.

however, at least one of my retirement accounts asks or at least one of my security question answers every time I login.

Enough for now.

Note: although the above discussion is about security questions, it also applies to reset codes, which are similarly often single factors, or single factors in conjunction with email or text notifications that are vulnerable to hijacking.

One can add custom fields to each password entry. I use custom field with type ‘password’ to hide the content from prying eyes

I just want to add one datapoint from a not-super-dark corner of the internet. The UK government has a service that provides tax relief on payments to childcare providers. The site itself seems to use a cross-governmeint authentication system (password + SMS code), but then every time you want to transfer money to a childcare provider, it asks three security questions. If you have twins (guess who has twins), you answer the same three questions, twice, for every payment.

So for some users autofill for security questions would be great!