I am blogging about the effectiveness of using “Secret questions” as a method to recover ones account on a particular page or web service, or more simply a back up / secondary password for any account. The articles I posted above come from bruce schneier’s website( the author of our book), and it regards this very issue of secret question security. He points out a few different security flaws with this system. The main problem with these questions is that they are much easier to guess than a users primary password. We often see repeates of the same question on multiple websites. Mothers maiden name? First pet? High school or year you graduating in? With the social networking juggernaut that is facebook answers to these questions can be found in a just a few clicks. He mentions that he typically answers these questions with a good keyboard slap or face roll but also brings up the inconvenience if you actually forget your password and calling the company might be your only hope. A user that commented on one of his posts brought up a good point that typically answering secret question only emails the current registered email a new password. So if you received and email like this than you know that a hacker is trying to break in. What do you guys think someone effective or completely flawed. should changes for secondary passwords be made?