Over the years I've discussed the topic of breaking Web application/portal passwords many times and, as I've constantly said, the easiest way to hack a users account is typically through the "password recovery" facilities.
On that topic, there's a new research paper that puts some figures to how successful the technique is. The paper goes by the title "It's no secret" and quantifies the reliability of 'secret' questions as a back-door to authentication systems.
I'd recommend a read of the new paper when you get a chance - and probably combine it with some of the following reading as well...
Challenging Challenge Questions
Choosing Better Challenge Questions