True story
A few years ago I had to set up the security questions with my online broker because of their new online privacy policy. Since financial services are a bit delicate, they are trying to provide as much security as possible. One of the questions I had to answer was "What is the last name of your favorite athlete". Since I wouldn't take risks, I did something silly with the answer, but forgot what that silly was. I tried to remember on few occasions, but failed miserably every time. In the end, because of the recent Apple and Facebook stock exchange frenzy, I had to make a phone call to the States and reset my security questions. A waste of time and money.
Why u no work?
But why don't security questions work? Firstly, nobody's sure how they work with the specific service. Will somebody be able to reset my password by answering them right? Or will I be required to answer them after I login to the system with my username and password? Or will they be used just in case I need to prove my identity on the telephone? Who knows… (and don't bother explaining)
Than the next problem happens. When I'm asked to answer the security questions such as "Your first girlfriend's name", "Mother's maiden name", "Favorite holiday spot" or "Your pet's name", I can think of plenty of people who might know such things, and don't know what these monsters could do with the answers (see above). Sure, these are mostly people I trust, but lately, quite a few answers to questions like this can be found elsewhere, e.g. on Facebook. How can I be sure my mother has the correct privacy settings? Or that my pet won't appear tagged on someone else's picture? Is that a risk I'm willing to take?
Time to drop
Bottom line: I tend to be creative or lie when I'm answering security questions, and I'm sure I'm not the only one who does it. Lies and creativity are easily forgotten, so I end up not knowing the right answer when the time comes. Face it, you can not make a generic query that only I will be able to answer, and that's where the story ends. So please, stop using security questions, they don't work! Think of something else.
DISCLAIMER: Please note I'm not trying to persuade anybody to lower their security standards, but the fact is, people are emailing passwords to each other.