The idea of a question and answer is to protect users if their email account is hijacked, otherwise once someone hacks your email they can gain access to your credentials for just about any site you use. You don't need to remember the question becasuse the question will be presented to you on the password recovery page, you only need to remember the answer to the question. If you feel that is too much trouble and you don't need that extra protection then just use a simple question "like what color is blue" with the obvious answer "blue".

If all else fails in password recovery people can use my contact form to contact me and I can reset their password.

While it is true that some sites have moved away from security question and answer, it is usually because they have some other mechanism like my bank has a visual site key (though they do still use multiple questions and answers for some verification purposes) and some sites like google now use your cell phone so they can sms you a new password. Unfortunately those are solutions diificult/expensive to implement so we use what are able to implement and that is a security question and answer. And of course sites like Facebook may not have a security question and answer but then again they are not known to be the most secure site, lots of accounts do get hacked on Facebook due to weak passwords and lack of other securit mechanisms.

Whether you choose to use a security question and answer on your site is up to you but on this site I choose to give people the power to have a little more security, as I said above if you prefer convenience over security then use a simple question with an obvious answer.

As Jamie said we will not be implementing something in mojoPortal to write to the web.config file nor recycle the app pool for security reasons. These reasons and security issues are also discussed in the article Why Custom Features Should be Instralled by FTP

Best Regards,

Joe