[dohko]

I don't understand how this would solve the problem that security questions are trying to solve. Basically, you just want something that you remember and/or infer easily in case you forget your password. If you use a passphrase as a salt to build a hash along with your security question then you are not really solving the problem. You still will have to remember the passphrase in order to build the hash. What if you forget it? Therefore you really haven't solved the problem. For what's it worth I don't believe in security questions and agree that they can be inferred by a reasonably motivated person with rather ease. There is no silver bullet, but it is probably way less risky to just allow password reset by confirmation codes to cell phones.