I treat them as less secure passwords -- passwords that often a representative at the company has access to. (I've experienced instances of people on the phone (upon my calling the organization at a known number) soliciting their answers and checking them against what they have on their screen. Usually these days, with actual passwords, they undergo a computerized check and members of the organization have no access to their values -- or at least to their unencrypted values. (Although, don't blindly depend upon that assumption.)
Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.
The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...
Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.
The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...