New research from Google shows that attackers can easily guess users’ answers to account-recovery questions. Google researchers found that with just one attempt an attacker could guess an English-speaking user s favorite food 19.7 percent of the time. The company also discovered that some tactics users employ to make their answers more difficult for attackers to guess aren t effective, and that some of those tactics are backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.
Source: https://threatpost.com/security-questions-not-so-secure/112949/