Now with the recent Sony Playstation Network compromise, it has raised an even bigger problem with (suspected in this case, they aren't sure) compromise of security questions. What do you do if your password questions get compromised at a site?
First, you probably have no idea what answers you even gave. The idea behind these questions is that you remember the answers naturally, so you don't need to write them down. So you probably have no idea now what questions you were asked and what answers got leaked.
Second, even if you did somehow know what answers you gave Sony (perhaps you signed up two weeks ago and you have a great memory), do you remember all the other sites you gave the same answers to? Time to go site to site checking (except, back to my first point, you probably don't remember what answers you are checking for).
Third, let's say you remember all that. These answers about you have been compromised and you can't change them - it's your history! This is a problem shared with biometrics, once your fingerprint gets out, you're stuck with just having nine left. Once a fact about you is known, you just have to know not to use it anymore as a secret.
So, security questions just went from bad to worse in my book.
My suggestion, fill in random strings (I use a random password generator or "slap on the keyboard"). Write your password down in a good password program like Password Safe or KeePass or use the password saving feature on your browser (I suggest setting a master password if you do so). Or if you do forget your password, most sites will still have some way you can get your password reset the old fashioned way through customer support.
Some interesting work on security questions:
- Evaluating statistical attacks on personal knowledge questions
- It's no secret: Measuring the security and reliability of authentication via 'secret' questions
- OWASP on Secret questions
- Messin' with Texas Deriving Mother's Maiden Names Using Public Records (pdf)
- How I Stole Someone's Identity (SciAM article)
And finally xkcd: