A post on Bruce Schneier's blog about stupid security questions reminded me that this blog exists, and so I'm thinking about trying to start updating again. One of the comments on his post also links to a great entry in The Daily WTF about Multiple-choice security questions, which are beyond stupid: They fail the 'easy to guess' criteria (Assuming it's a bank in North America, what do you think's the safest bet as to where his father was born) and they don't even allow the user to actually pick their real least-favorite vegetable (mine is eggplant) but I'll bet 'beets' or 'brussel sprouts' are good guesses for a large portion of the population, given that list of choices.
Since I hadn't updated this blog in a while I had forgotten the password to the gmail account that I created with it: firstname.lastname@example.org. Yeah, you can guess where this is headed. I opted to use my security question to recover my account and it asked me one thing: "What was your first teacher's name". I answered, and then it let me set a new password. I didn't even have to give it a birthday or answer more than one question.
I had apparently opted for the pre-set one out of laziness because I couldn't think of a security question truly fitting an account about bad security questions. I didn't realize that the account could be completely taken over by anyone who could answer it. Anyone in my family would know that, and if I ever mentioned what school I went to you could just check their website to narrow it down to just one or two teachers (small school) since the teacher is still working there.
One thing about security questions is that you often see several of them. If you have to answer all three every time you log into your bank (no joke, I have to do this) it's a huge pain. But if you can take control of somebody's account with just a little bit of research that's a failure in a completely different direction.