November 28th, 2012
Do you force your users to pick from a list of predefined security questions?
Who is my favorite singer? I don't have one, and even if I did, tastes change over time. What was the name of my first dog? His name was Rex. That was your guess number one anyway. In what hospital was I born? I don't know, and I would probably make a transliteration mistake because we Russians use an alphabet of 33 letters with a few sounds that you will not find in English.
These questions are also a huge security concern. Your friends may know what books you read, what music you listen to, what movies you watch… they may have even watched these movies with you. We should not worry about discussing this online just because some developers decided that only you know in which city you were born. This is not private information, so it's not really a "security" question.
Another problem with questions like my mother's maiden name is that once a site stores it in plain text, it becomes a buffet for anyone who wants to hack all my accounts. Most sites use these cliché questions, so once they hacked one, they may be able to hack them all.