My beef with First Direct is slightly different: since you can’t seem to do anything useful with the “secondary” questions, why even bother asking them? It’s not like applying for a mobile phone where you have to supply multiple forms of id (which an imposter might have difficultly assembling), because the questions they ask are so difficult to remember, and so plentiful, that you essentially have no option other than to write them down.

I agree with Ade - people do choose memorable passwords, generally a combination of a name close to the heart for some reason, and a date of importance, neither of which would be hard to guess for anyone close to that person.

However, things have improved since the good ol’ days (?) when people could choose a password as short as they want. When my father’s company installed a new fancy computer network in an nhs hospital to store patient data in a database (really quite personal and valuable data), the nurses there complained remembering the long password they were supplied with was too much for someone with such a non-stop job. Consequently they had the password changed to “a”. Now there’s security for you!

But ultimately the real weakness is the reliance on passwords at all - they’re always the weakest part of any security framework because users choose dumb passwords, write them on bits of paper etc. “Security questions” are intended to encourage users to choose stronger passwords - which are inherently less-memorable - by providing a get-out clause. But its probably still true that most users solve this problem by just choosing some easily-memorable - and weaker - password in the first place. Would be interesting to find out how often password reminders / security questions get used in webmail accounts - very low usage would be a pretty bad sign.

Ahah!
You can’t get your hands on my pennies that easily!