(no title)

Yes. Not using true information is a good practice for security questions. If the CEO of a technical company thinks so, as well, then don't fscking ask me for my mum's maiden name!

1) Ask for a backup password and specify it should be kept offline.

2) Tell users to lie on the maiden name question.

Do NOT point the finger after a breach at your company to one of your customers. Terrible practice.