Possible Duplicate:
Do security questions subvert passwords?
Is it true that on some websites (e.g.: free webmail) there are "security questions" - if the user forgets about his password he could answer the security question, that he provided before, and then he could change his password. BUT: isn't this a security issue? What happens when the security question is weak, and guessable?
Usually security questions are not used by themselves and are used to accompany email verification. Some services also use them when your logging in from a different location to normal to add to the login process. Using them by themselves, unless you're asking like 50 questions, can be a security issue.
Whatever you do they can still be weak and guessable so the right questions have to be used. There is a list of good security questions here which are supposed to be more difficult to guess.
