Windows 10 Security Question - Good for recovery but, could be bad for security as this could be used to setup a backdoor - Unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions,".

The implications for someone abusing this without the account holder's knowledge are huge.

security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."

Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future


https://www.darkreading.com/endpoint/windows-10-security-questions-prove-easy-for-attackers-to-exploit/d/d-id/1333404