Is storing the answer to a secret question any more secure than storing a password?

Question

Reading what is currently the top answer to a recent question on how/whether to send users their passwords, I was intrigued that the most popular answer said the following...

1. storing passwords in such a way that they are retrievable is insecure
2. using a reset feature with the help of a secret question is a valid alternative

(These two points seem contradictory.)

I use hashed passwords for security, but I've always assumed that the password question and answer scheme are even less secure because they actually give a hint as to what the answer may be. (I often use .NET's default membership provider.)

Is there something I'm missing because I've not bothered to use the question & answer? Are secret question and answers, without incorporating any sort of timed email reset function, any more secure than storing a password in the db?

---

Follow Up: Microsoft's membership provider uses the same format for storing answers to secret questions as they do for the password. If you specify hashed for the password, then it will store the secret answer the same way.

From the posts below, it appears that, if used, a secret question/answer mechanism should only be used in addition to an email reset scheme, rather than instead of, and should be hashed as well. This, of course, may present problems for people like me who put long random strings in the secret answer section.

Answer 1

Passwords are answers to a 'secret' question. That question is, "what is your password?".

As Scunliffe points out, adding an additional field of user input may or may not increase the security of the password - that depends on the user's practices.

Answer 2

I allow myself to be guided by OWASP here:

They are unacceptable for the following reasons:

• Collection of information about people without their explicit consent (such as "Mother's maiden name") is illegal in most privacy regimes. Such collection is subject to privacy laws, review and correction by the subject, and so on.

• IT Security Policies and standards such as ISO 27000 prohibit the clear text storage of passwords, but almost all Q&A schemes store both the question and answer in the clear

• The information in the answers is public for a goodly portion of the users of the Internet, and thus is found using public sources

Edit (2018): OWASP seems to have re-arranged their materials. The wayback machine captured a copy of the original page.

Answer 3

The question and answer idiom has been exploited in many published "email hacks" (example)- I'd certainly avoid using it.

Answer 4

Secret questions and answers are only as secure as the user makes them to be. If someone knows anything about you, they can answer an easy question and reset your password. I'm guessing answers are also hashed, so that the answer is not directly stored. But again, knowing the answer to the question is all it takes.

A hashed password stored is about as secure as most applications get, and that's fine because it's one way, and thus the plain text is never stored nor can it be retrieved.