in fact, fuck passwords too!!
truth is, the questions do serve a purpose… with naive users, who don’t properly store their passwords and so the lazy admins can rest, unless they also want to go the extra step of theater, as apple does. not to mention the millions the banks think they’re saving. all it takes to lose all those savings is one security breach there, and SQ’s are easily opening a huge cam of worms which greatly help crackers to find that breach.
devs: just send a temporary password/code to the email. it’s still much more “secure” than those bullshit questions. and good enough for most cases.
probably the most secure solution: use some kind of single sign-on (or all of ’em) and 2 step auth. by all means, do allow to add a backup password if someone might want it, with a warning “you’re on your own, don’t lose this, we can’t help you”. and since you’re doing-it-right™, why not tossing in an ssh key along? it sure will get the word of mouth in any hacking community.
meanwhile, if you’re a worried user and need to give answers to keep your account “super mega secure”, get a vault for your passwords already and store them along as something equally impossible to anyone guess and at least 16 characters long.
you don’t need to take my word: