The “security question,” as an institution, is “superbly moronic,” says Jack Baruth:
[T]here is no reason for the security question to exist. Not the way it’s implemented at most websites. A security question, when used properly, can be helpful. PEER1 and Rackspace, as an example, use security questions to authenticate requests for phone support. The security question, in those cases, is one that you provide. As an example, your Rackspace security question could be, “What’s the pinkest brown?” and the answer could be “867-5309”. It’s a true shared secret. Of course, it’s stored on the Rackspace systems, which means its vulnerable. But as a good way to authenticate a voice on the phone that’s asking you to reboot a server or add a credential, it’s not bad.
The typical security question implementation, however, is not anything like that.
Oh, hell no. Instead, it’s something you’ve probably already posted on Facebook that anyone keen on stealing your identity has already read and filed away for reference.
I admit to having outsmarted myself once, with the requested item being the “name of your high-school sweetheart.” Like rather a lot of women of this era, she has a first and a middle name; unlike most, she was going by the middle name back then. So I plugged in the first name, which I’m pretty sure I’ve never mentioned anywhere, even here on this site. (Don’t mention this: it’s pseudonyms all the way down.) You can guess what happened next, or more precisely after a year or two.
Incidentally, I live in what has been known in the neighborhood as the Brown House. But it’s the pinkest brown you’ve ever seen.