Security Researchers at the University of Cambridge’s Computer Laboratory have produced a whitepaper titled Evaluating statistical attacks on personal knowledge questions.
Aside from the fact that the answers to these questions are readily findable for celebrities and increasingly easy to uncover through social networking sites for the average individual the researchers found that even guessing is good enough to render the system insecure if carried out on a wide scale.
There is a strong result that anything named by humans is dangerous to use as a secret. Sociologists have known this for years. Most human names follow a power-law distribution fairly close to Zipfian, which we confirmed in our study. This means every name distribution has a few disproportionately common names—”Gonzalez” amongst Chilean surnames, “Guðrún” amongst Icelandic forenames, “Buddy” amongst pets—for attackers to latch on to. Combined with previous results on other attack methods, there should be no doubt that personal knowledge questions are no longer viable for email, which has come to play too critical a role in web security.
I think that until such time as the companies that use password reminder questions as a security method change the system they use I recommend that people give a nonsense answer to the question. If you are sure that you’d never need to use the password reminder facility then you could just use a completely unguessable random alphanumeric string as the answer. Otherwise it would be a good idea to choose something memorable as your nonsense answer that you consistently use e.g. Throatwobbler Mangrove unless inexplicably that does happen to be your mother’s maiden name.
There has been other research in the last few years into this subject.
Microsoft researchers wrote Measuring the security and reliability of authentication via ‘secret’ questions