Google performs a large-scale empirical data analysis of secret questions based on their deployment at Google and results show that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate. Surprisingly, a significant cause of this insecurity is that users often don’t answer truthfully. A user survey revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them “harder to guess” although on aggregate this behavior had the opposite effect as people “harden” their answers in a predictable way.
Read Google’s full analysis here – http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43783.pdf
