It really frustrates me when sites require a question and secret answer like "hometown" or "mothers maiden name".<p>Those are both very easy to find pieces of information. Let me select the question myself too. By forcing me to give you answer here you're potentially making my account _less secure_.<p>Right now I have standard fake answers to those questions, let's hope they never cross reference those with anything else. I'm not sure how I'd convince someone my mothers maiden name is "<insert comedy name here>"
Authenticating users with passwords and "secrets" such as your hometown, high school, or first street name are all ridiculous strategies. My not-so-inner cynic suggests that banks know this but think they are safe from lawsuits as long as such methods are "industry standards."
Keep in mind these are all meant to be in-channel "back-up" strategies for when usual authentication methods fail and/or human error results in a complete loss of credentials. Forcing a true side-channel workflow for re-authentication and credential recovery isn't practical for most organizations.<p>A more secure, but frustrating for the dis-organized, approach is to email out a small set (3-5) of one-time credential-recovery passphrases (often called a scratch-list) with the initial account approval message.<p>Another slightly more usable forced-in-channel alternative includes image file recognition where the user selects from a predefined set of pictures to use as their "shared secret" when the account is created. Typically, a salted hash of the image file is stored as the actual password value so multiple versions (slightly bit skewed) of the same visual representation can be leveraged for password expiration.<p>Alas, all of these more secure alternatives limit the user's ability to "personalize" their shared secret and require additional bookkeeping.
Whenever forced to use one of these authentications, I just wail on the keyboard to provide an answer. My mother's maiden name? Why, it's "sfdgh,jsdzl.kg hjsldghs,hb".