Columnist: Nearly every Web site comes with user-accessible, self-service, password reset questions. The questions often contain information that is known by lots of people, or can be found by searching on the Internet. If a Web site uses such weak security questions, make sure the questions are truly capable of being known by only one person. Suggest some good examples of how to create truly secure security questions for Web site users. Any password resets or changes should be sent to the e-mail address on record before being committed.”]
Source: https://www.csoonline.com/article/2633154/ask-better-password-questions.html