Most of the time, I would rather have the password emailed to me than to answer the security question.

Well, that is a problem. As I said in the comment above, if the password is emailed to you is because it was stored unencrypted and that is a problem on itself.

I’d rather be emailed a URL where I am able to change it, this because if the email is stored encrypted it can’t be mailed to me. So I prefer it that way.

Anyway, I don’t like security questions either, I see them plainly as security holes.

@Adam Snider -

Great tip, Guilherme. Like ses5909, I didn’t really think of security questions in this way until reading this. But, you’re absolutely right.

However, I don’t think that many sites actually keep your password on file. Most use a cryptographed version, I think.

Still, it’s always better to be more secure in situations like this.

I have seen many sites emailing you your password when you forget it, that is clear evidence that is stored in plain text and I consider that really bad. Still, many others do save them cryptographed.

The big problem of keeping plain text passwords in their servers is that if someone hacks in and gets it, it will certainly be useful for other places as well, unless you keep a different password for each server.

However, I don’t think that many sites actually keep your password on file. Most use a cryptographed version, I think.

Still, it’s always better to be more secure in situations like this.

Luckily though when you do need to reset your password, it usually emails it to you instead of letting you reset it right there.

Security questions are actually security holes. It shouldn’t be used unless the answer is really, absolutely, completely unguessable.

Now, if the site asks you to reset your password instead of sending it to you, that is better. Usually means that the site itself doesn’t keep your password, only a cryptographed version of it, and that is why you have to reset it.