Many Web applications use secret questions to verify a user’s identity in the case of a lost password. Secret questions break all the rules for strong passwords and have some significant weaknesses. Many Web sites assume that the user providing the answer to the question is sufficient to identify the user. Many secret questions ask for facts that anyone could discover with little research. Because there is usually a limited set of answers to secret questions, they are also vulnerable to brute-force attacks. The key to successful secret questions is to clearly define their role as just one part of password retrieval process.”]
Source: https://www.cuinfosecurity.com/using-secret-questions-a-256