Adding security questions to back up password-protected web sites has become all the rage. I’ve had to deal with this on many web sites I use, and have encountered it on the back end helping teams implement sites. I’ve known security departments of financial organizations that say these are required by industry rules and not to have them would be a breach of responsibility.
The fact is, having “security questions” weakens security rather than strengthens it. Recent news of the infiltration of Twitter’s proprietary documents is a good case in point. The New York Times reports
Instead of circumventing security measures, it appears that the Twitter hacker managed to correctly answer the personal questions that Gmail asks of users to reset the password.
If you don’t believe me that security questions weaken security, just ask Bruce Schneier.