Yep. I've had Lloyds phone me and tell me my own goddamned password over the phone. Which means, apart from anything else, that they store them plaintext.

Phishing for this kind of info is stupidly easy though, and while call-centres quite definitely do condition people to be phished, there's not much that can be done when people are so willing to be fast and loose with their personal information.

Go tweet/facebook the following, and prepare to be astounded by how naïve most are:

"Want to know your porn star name? Just take your first pet's name, your first school's name, and your mother's maiden name! Mine's Muffy Grove Schlitz!"

It's more a failure of services/companies that require silly things like pet, school or maiden names as shared secrets. By now, everyone should get a PGP key at birth.

I agree. I never answer the security questions with a truthful answer, because things like "first company you worked for" are too easy to look up. I treat security questions almost the same as passwords. I generate random answers per question and store them in 1Password, just like my passwords.

A side-benefit of this is that if someone calls me and asks me to answer a security question, I won't know it. I'll be forced to call them back after I've opened 1Password and pulled up the record with the security questions.