News.com reports that a joint study by four Harvard and MIT researchers claims that SiteKey (aka PassMark) is ineffective. Ouch. While I have little doubts about their integrity, I do wonder if the study is not flawed. For example, doesn't using people who willingly let others observe them signing into their bank account for such a study skew the result? It's probably not as bad as counting virgins among prostitutes but I would like to hear more about how they accounted for such problems.
To be frank, I don't think we ever did a formal study like they did. Why? First, time. Second, money. Third, lack of deathwish. I mean, that's like stopping by the hospital before going to the prom to see if you have a fatal disease, isn't it?  Fourth, user experience (image and questions) was only a part of the PassMark story.

Update:

This news apparently made some people curious enough to do some ad hoc experiments using their own bank accounts. That's a bad idea, folks. If your behavior stray outside your normal user behavior pattern, you are inviting future inconveniences at best.