Bruce Schneier on "secret questions:"
What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.)
Me too. I only had to give my credit card number to get my secret question reset, though. (I then had to use the new secret question to recover my password.) Since then I used a real question a few times, because I didn't want the hassle (especially at a site that has neither my credit card nor phone support).
