I would be remiss, of course, if I didn't comment on the security questions that Gmail offered me. They are:
- What is your primary frequent flyer number
- What is your library card number
- What was your first phone number
- What was your first teacher's name
- Write your own question...
But there are dangers in giving the public this option. Like password hints, people can and will use it to subvert the security of their own accounts. They will chose obvious things like their name or birthday. If you make sure that the question doesn't contain the answer, they will obfuscate it by putting spaces in between characters. In any segment of the population, there will be some segment that is just too lazy to care about security. Does that mean they deserve to have their accounts compromised? Probably, but institutions don't have the option to think that way, and even if they did it would still increase their support costs. Banks especially are legally limited in how much the customer was liable for, even if the customer was an idiot.
So while I would vastly prefer being given the option to create my own question, especially since I sometimes have a hard time choosing one that is both applicable and secure, but I understand why it's not always available. It is perhaps a shame that your security has to cater to the lowest common denominator, but if the general public is using your website or service then you may not have much choice.