I’m not even sure how I would store the answers to these questions in a database. Would you hash them like passwords or just store them in plain text (maybe encrypt them, but if someone has access to your servers they can probably access the encryption key too)?
many passwords allow you to store pass keys (like with crypto wallets) as hashes attached to any login credentials. I would suggest storing them that way. at worst, I used to create secondary credentials.
If you store it in your password manager alongside your password, what’s even the point in having these questions?
In some places it is mandatory
… that’s an excellent question.
Frankly, even if you don’t… what’s the point? if you can crack the password, you can probably crack the secret question. or questions.
if you can social engineer a password, same with secret questions.
They’re basically just a second passwords. possibly one of many passwords with a prompt.
I’m not even sure how I would store the answers to these questions in a database. Would you hash them like passwords or just store them in plain text (maybe encrypt them, but if someone has access to your servers they can probably access the encryption key too)?
many passwords allow you to store pass keys (like with crypto wallets) as hashes attached to any login credentials. I would suggest storing them that way. at worst, I used to create secondary credentials.