This works well until you get to the "Our site is so secure that we need you to answer three security questions from our canned list, and they can't all be the same string" geniuses. Such an antipattern.

For every site that does this, I have a blob of text in my password manager where I write down

Q: what was your childhood best friend's last name? A: pathway-titian-slowly-quiver-kodiak-hue

etc., even for fact-based things like "what city were you born in?" or "what street did you live on in 1995?".

Ah, but the anti-pattern folks have a way around that.

Drop-downs for answers. Just got this on United.com:

http://imgur.com/84l0CdU

I think that the drop-downs are trying to prevent people from mistyping things and locking themselves out because "Accordien" doesn't match "accordion".

How about 5 random questions, 5 random answers and record all of these in your password manager?

If you have a password manager that successfully tracks the questions, then there's no reason to need to recover the password, as you'll just track the password in the same system.

The catch-22 of these systems is that recovery questions need to be obvious, memorable and unchanging enough to the user that they are useful for recovery, while also being hard for a third party to guess/research. I feel like for the most part those are more often than not mutually exclusive.

I had something along those lines tryin to log in to mojang on a new computer. "We've not seen you log into this pc before (although I had on that IP), please answer these three security questions. Of course I don't remember so I just reset them. I imagine the new answers and the old answers had a lot in common - they were composed primarily of expletives.