Some online services demand strong passwords, but have very weak requirements for the "security answer" that you use to reset a lost password. This is stupid. The security answer is a backup password and should be just as secure as the primary password.
Example from a company that shall remain unnamed:
The security answer must be
* 2 to 14 characters
* letters only, no numbers, spaces, or other characters
* not case-sensitive
And there are only four "security questions" to choose from:
* What was the name of your first pet?
* What was the name of the city your high school was located in?
* What is your father's middle name?
* What was the make of your first car?
Now of course, you can put any random thing you want as the answer, but most people will answer truthfully so that they'll be able to remember without writing it down. As a result, hackers only need lists of common pet names, major cities, common given names, and car manufacturers, and they'll be able to reset the passwords on a large fraction of accounts.
If you run into something like this, DON'T enter the real answer if it's a common word or name. Treat it like a password and enter something unguessable.
(Yes, someone I know got hacked this way.)
