[mauli]

For cases where the questions are used by automation, it's okay. Not so much when humans come into play, that can be social engineered: A friend called his bank for something. They verified his idenitiy, him answering to 'what was your first pet's name' with: The answer is random letters, numers and symbols. He was verified to be the owner, not having actually told the support person a single matching character.

For those cases, generators for random answers that read legit would be better. I started putting in random word sentences like 'DoYouHaveAPetCalledPeter', stored in pwdstore metadata to the accounts.

[joshvm]

Also it's fun when you have to speak to customer support and you're not sure if you made up the answer or not. It's extra fun when the security question is something embarrassingly obvious like "what town did you grow up in?" or "what is your mother's maiden name?" and you get it wrong (and have to say "No really, I know this but I lied on your form").