[entropy_]

Why would that be the case? It just seems stupid to do so. A security answer is pretty much functionally identical to a password. Doesn't make sense not to hash it(there are no uses of the answer where you would need it in non-hashed form)

[Firehed]

They're often used by support agents as a workaround for giving them your password (which the entire world has been diligently trained not to do, right?). They're also often case-insensitive and ignore punctuation, and while it's quite easy to handle that in a hashed scenario, they're usually implemented by programmers that don't get security.

Of course, the same apps with security questions are probably the ones not hashing your actual password in the first place.

[FiloSottile]

Yeah it is stupid, probably because security answers are needed to trigger some system on the server side (not to decrypt anything) and if an attacker has access to the DB, probably can already trigger the process. But actually they are even more sensible to reuse than passwords, so they should be hashed.

[jtheory]

I'm not sure about all security questions, but I have noticed many credit card support lines ask me for my mother's maiden name, and the answer I give is long and not easily spelled but they always confirm -- instantly -- "that's it" and and proceed.

Think about last names, as well... there's huge variety in length, spelling, etc. -- it's poor customer service to force the customer to spell it out letter by letter -- so it's necessarily just displayed there on their screen.