The Secret Question System is insecure
Posted on Jul 12, 2007
Seeing that this is so obvious and easily breakable, I'm surprised sites still continue to use the secret question to recover your password. The problem is not so much in the system as in the questions chosen. A really secret question would be one which is known to you and only to you. But usually secret questions involve your mother's maiden name, or your pet or childhood hero. Now to anyone who has known you for a sufficient amount of time, and anyone who has read your profile on one of the social networking sites you are a member of, these are easily answerable. Not only does this introduce a loop-hole in the system, the secret question is often not easily changed.
The solution to the problem is simple, and one that I've been using for a few years now. The answer to the secret question should be totally unrelated to the context of the question yet memorable to you. For example, if the question is Your pet's name?, your answer would be say Thorondor ( Lord of the Rings ). That way, the chances of guessing the answer are very remote.