SecurityQuestions are insecure.

 * security questions are supposed to pose as "backup password"

 * thus "loophole" the basic password

 * a password should be really hard to guess

 * a password should not be visible while typed so noons can spy over your shoulder and read it form your screen.

 * even freeform SecurityQuestions ("what's my dogs name? Wuffy) contain much more easily guessable  structure than a really good password

 * everyone spying over your shoulder will not see your password but the S.Q.

 * a good password gets excellent if stored hashed so noone can recover it. The S.Q. are visible on the preferences page and thus clearly not in secure storage (which makes me wonder if the password itself is. Probably not?).
  
More on this basic questions to be found here: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html

PS: Security Questions are bad for usability. My browsers autofill f***** up my "middle name" and I didn't see it, because I had to fill in these questions — something done in a hurry on a very unstable wireless network.

-- 
HinnerkHaardt

----
 . CategoryCustom