I recently had occasion to register for an Alaska Airlines online frequent-flyer account and was confronted with a form that demanded four personal questions. Aside from the obvious pain in the ass for users (you've just doubled the time it takes to fill in the form), there's an obvious privacy risk. If you actually fill in each of these questions truthfully, Alaska has a bunch of information about you they wouldn't otherwise have. Indeed, some of their questions (which come from a drop-down list so you can't input your own) include mother's maiden name, father's birthday, etc. You can, of course, lie, but this obviates the point of the personal questions since now you have to remember your lies (or write them down on the same post-it you wrote down the password).
To make matters worse, it potentially turns Alaska's security problems into your security problems. I might trust Alaska's privacy policies, but if someone breaks into their system and steals my questions and answers1, that's not a good thing, especially if people are stupid enough to actually give Alaska their mother's maiden name, which I'm sure they are.
And of course all of this is used to secure access to your frequent flyer account.
1. Yes, Alaska could hash the responses, but that makes it hard to deal with minor variations in case, punctuation, etc., so I doubt they do.
I'm with you on the criticism of Alaska, but I think they need to be shown a better way.
I'm a frequent Alaska Air user, and the username/password that you speak of controls more than my frequent flyer account. It allows me to cancel flights, check-in for flights, request ticket refunds, change seating, and print boarding passes. The username/password deserves more security than my Hotmail account.
If you have a reasonable password-derivation tool, then you don't really have to worry about forgetting your password, so you can just use garbage (or additional derived passwords) as answers to their personal questions. Even better, some Websites allow you to specify the question as well as the answer--thus, you can put the site's current URL in as the question, so that if they ever change their URL, you can still get the old one back (when they ask you the question) and feed it into your password-derivation tool to recover the password.