Let people design their own question.

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

Favorite movie? Gigli
First Car? Moon Rover
Mother In Laws Name? Dead
etc..etc..

Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.

Of course, that does no good if Apple simply ignores the security questions.

I usually just generate additional passwords and save them in KeePass.

But the lazy will make questions like "What is 2+2?" or other such nonsense.

Even simpler solution: design your own answers. Yes, you'll get funny silences over the phone when you tell that the rep that you were born "On the moon", that the street you grew up on was "the yellow brick road", and that your mothers maiden name was Humpty Dumpty. The upshot is that no one can guess, the answers are meaningful to only you, there is only one answer (the fake, important name and place), and, because the answers are whatever you think they should be, applicable.

Making them completely pointless, since you'd only need them if you lost the password which would presumably also be in the password manager.

The problem is that if you don't use them very often (say only for a password reset) it's easy to forget what answers you gave.

On trick is to give true answers, but for someone else, i.e. you answer as if you were Linus Torvalds or Queen Victoria. But then you still have to remember who ...

So now you have to remember nonsensical answers to every important site you use, in addition to a password. You can't use the same answers everywhere, because when one gets hacked, all other account security questions are vulnerable.

In other words, passwords aren't secure, so lets use even more of them! This is like saying credit card numbers get stolen, so the solution is to add some more to the back of the card.

And as long as you always answer 42, or 416 what is the problem with that?

Many security questions are a failure from the start due to poor selection. While one would expect that a security question would challenge an objective fact, many of them don't. Instead they challenge subjective facts, most often "favorite" things. What happens to a person's answers when his mental list of favorite things has changed? I've encountered some instances where these "favorite" questions were so prevalent that there wasn't even one objective question as a choice. While it's true that "favorites" might be less susceptible to data mining than objective facts, the last thing security questions should ever do is create the possibility that the legitimate user might be locked out because he can't recall what his "favorite" was at the time of the account's creation. This is akin to the bad habit of using e-mail addresses as usernames. What's more, many of these choose very poor subjects that lead to potentially ambiguous answers; there have been many occasions when I couldn't decide the correct answer to a "favorite" question even at the time of creation, much less a year later.

I'd rather just be able to disable the questions entirely, relying on a good password and if that is lost/whatever, account specific information being verified by a human on the phone.

My problems with these "secret questions" are:
1. They are obviously stored cleartext
2. They can be used to "substitute" for your non-cleartext password
3. Because 1+2=3, if someone breaks in and grabs a dump of the table, they now effectively have your account. These "insecurity questions" are more of a liability if you are not one to just lose passwords. Crutch for the stupid, barrier for the secure.

I don't think that would fly. If a person's bank account gets hacked, the bank usually (always?) picks up the tab. It's in their interests to get people to bank online - it is significantly cheaper than hiring tellers. If I were on the hook for security flaws at the bank, I'd never bank online.

The purpose of security questions is not security - its reducing customer service workload due to forgotten passwords.
In most implementations its an overall reduction in security, since the security questions constitute a backdoor to the password, rather than an additional factor of authentication.

At the same time, expecting people to be security experts is not going to be successful. You might have a good grasp of it, but chances are you have some exposure to it. It might not occur to your proverbial grandma that people can track down her mother's name.

It's the answers. For the best security the answers should have nothing to do with the question, just like you see in all those old spy movies:

Q: What is your favorite color
A: walkaboutclock

Q: What was the name of the street you grew up on?
A: g!blix05

When only the account holder can possibly know the answers then there can be no social engineering to bypass the security.

None of this, of course, has any effect if policies and procedures at the vendor site allow for the questions to be bypassed. As I have posted elsewhere, we don't know the contents of the alleged call; the operator could have been threatened, blackmailed, bribed or even an accomplice.

That doesn't solve the real problem, that banks think that these question and answers provide any sort of security whatsoever. What is the difference between this Q&A scheme and a password? Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?

We know that this is bad practice for passwords. Why do we tolerate it for "security questions"?

For phone stuff I set security questions like "Would you like to have dinner some time?" or "Wanna have sex when I get off?" and call to tease the cute customer service girl.

Nothing's funnier than harassing a minimum wage worker who has no choice but to take your shit or be fired, eh?

Let me guess: you're a CEO?

How did the summary miss the chance to mention Facebook? Oh, they don't mention the F-word (!!) for once when it makes the Zuck look bad?

For lists of questions that don't include "design it yourself", Facebook is the Walmart of Secret Question Busters.

(Simulation)
"Yay, I feel special, I made a Facebook account! Let's tell the whole world who I am! I'm ______ ______, I born and raised up in Philly, shout out to all the Main Street peeps! My whole family is there in Philly. Let's Like Mom, and Mom's whole family! I named my cat after Susan Boyle's, Pebbles."

(Later, looks at security questions. "Doh!")