Password Manager normally stores security questions, used to authenticate users who forget their passwords, in its internal database. The questions and answers are encrypted using 128-bit AES using a secret key. Alternatively, Password Manager can be tied to an external repository (e.g., LDAP, AD, Oracle, etc.) where it reads and writes encrypted or hashed security question data and possibly login IDs.
Password Manager includes batch data loading programs (e.g., to load user profiles, security questions, login ID aliases) and data extraction programs (e.g., to dump the contents of any table as a CSV file).
Password Manager also includes a number of plug-in points that allow it to look up user profile data in an external database or directory at run-time, as required. These are used to externalize user profile data -- for example, to an LDAP directory, to Active Directory or to an database.
Finally, Password Manager includes a number of plug-in points that allow it to update user profile data, such as identity attributes, login ID reconciliation or security questions, on an external directory or database, at run-time. Such updates are normally the result of user registration processes.
Putting this flexibility together, an example deployment might authenticate users signing into Password Manager using their LDAP login ID and password and store user profile data, such as a list of login IDs to various systems and security questions, in the same or another LDAP directory.