Password hints and knowledge-based authentication, such as secret questions, should not be enabled.
Password hints often offer enough information for an attacker to guess a user’s password. Answers to secret questions are sometimes information that is publicly available or that can be found on social media. Therefore, these mechanisms should not be part of the authentication process and should not be used in the password recovery process either.
CWE-640: Weak Password Recovery Mechanism for Forgotten Password The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
NIST 800-63B 18.104.22.168 Memorized Secret Verifiers Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.2) Verify password hints or knowledge-based authentication (so-called "secret questions") are not present.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.