Makes me glad that I mostly generate “pronouncable” passwords for my security questions, so the kind of well-meaning but insecure process demonstrated by that employee would be less likely to affect my accounts: my “street I grew up on” will look more like a possible street name than it will like a password.

Still, I’m reminded of a time I spoke to a utility company who’d messed up the transfer of the account ownership and still had the old holder’s date of birth as a security question. When I got it “wrong” the person I spoke to immediately said “that’s not what I’ve got here… I’ll fix it.” Thereby completely undermining the point of the exercise!