Best Practices - Strong Secret Questions for password resets
Security awareness is shared regarding password reset mechanisms that used by many websites. It's always best to select "Other" and compose a question that only you know the answer to.
QUOTE: Attackers aren't always brute-forcing passwords to compromise accounts. Sometimes, it just as simple as looking at the password reset questions. By now, you should be aware that you need to be selecting long and complex passwords to protect your accounts. You also know that passwords should be unique and never reused among different sites.
But are you being careful about the password recovery question? Also called secret questions, these questions help Websites determine users are who they say they are in case the password is ever misplaced or the account locked. Users generally select one from a drop-down list and provide an answer, presumably one that only they know.
Questions should have the following traits, according to Myers:
* It should be applicable and pertain to your life events.
* It should be definitive and be one answer that does not change, even over time.
* It should be memorable and easy to remember.
* It should be secure so that it's difficult to guess, find the answer online, and long enough to act as a passphrase.