You know what those "security questions" are. The ones that usually spell something like "what is your mother's maiden name?" or "which city were you born?" They are usually required when you sign up a service. What were they for? It appears that some services use it for verification to reset your password, in situations where you have lost it. The security questions are usually personally relevant to the account holder, as the rational is -- you might have forgotten your password, but you'll always remember the answer to your security question.
That is why I do not see there is any point of having a "security question", as these ones are highly insecure. What is the chance of you guessing my 16 character randomly generated alphanumeric mix-cased passphrase? Possible, but the chances are that a casual hacker will give up after 200 tries. What about guessing my mother's maiden name, or the city that I was born? Not that difficult. You might even find clues in this blog.
Basically, security questions only make your account more vulnerable because you are required to choose a weak password -- even with hints provided!
Last night I was trying to set up a new Google account for FOCUS so I can create and distribute public calendar using this moniker. However, the desired login name has already been used. Doh. Who would register that name, as it is unique to our church? Probably someone from our church as well, so I decided to ask Google to reset the password.
To my surprise, Google did not use the secondary email address to send out password reset notification. Instead, it asked me the "security question":
name of the fellowship at Uni?
Hmmm... That's a hard one, and it took me 30 seconds to come up with an answer, reset the password to a randomly generated alphanumeric, change the name and secondary email of the account holder, and update the "security question" to something else.
(Don't worry -- the actual account holder was indeed someone from church)
That has just demonstrated the insecurity of those security questions. I can actually remember my passwords so thank you very much I don't want to create another one that is weaker. So I basically just went back and changed the "security question" of my Google account to be:
What is my password?
And put another randomly generated rubbish in there. Hopefully it would guard my accounts more securely.