Do security questions pose threat do the user?


When we set up security questions, assuming we answer fairly, we give out to the site our secrets, facts from our past. I wonder if the following is considered:

  • we are encouraged to use a different password for every account, but our mothers have only one maiden name, we’ve had a limited number of pets, etc. Inevitably the answers are going to repeat on many accounts.
  • we’ve seen many data breaches from many places, including the largest internet companies. Can the security answers become public this way? We can update passwords, but our secrets remain the same, except in case of a breach they are no longer secret. Consequences of releasing security answers might be much more serious than that of leaking a password.
  • are the companies and websites actually allowed to store such private information? Are there legal limitations?

I found the following questions on SE:

  • How are "security questions" not a major security hole for any application that uses them?
  • Do security questions make sense?
  • Does removing my security questions on Yahoo make me more secure?
  • Do security questions subvert passwords?

The answers range from "security questions are bad" to "they are bad but we have nothing better". Do we really have nothing better in 2020?

What are the present recommendations for the website creators?

What are the best recommendations for the users? Lie? Provide random strings as answers?