21May
Do security questions subvert passwords?
If a site requires passwords with a certain scheme (length + required character sets) and has a security question, why would someone try cracking the password instead of the security question? I assume most answers to these are shorter and have a smaller variety of characters.
For example, "Mother's Maiden Name" (somewhat common question) is typically not as long as a decent password (even after satisfying password requirements) and often contains only letters. When a site requires a security question, is it best to fill it in with a lengthy string containing random characters?