That is assuming you post on Facebook but, yeah, every time I see those “your porn name is your middle name and street you grew up on” types of questions, I just shake my head at the people answering them.
Indeed – not everyone does, but Facebook usage is prevalent enough, and participation in those phishing attempts is prevalent enough, that the industry is increasingly seeing security questions as not secure enough.
And, if you (the hypothetical you) are on Facebook, even if you don’t participate in answering those memes, you may have shared enough information about yourself and your family that many common security questions could still be compromised.
But for those who don’t forget the answers, it’s a Plan B or C, and for those who do forget the answers, it’s a “Not Required To Answer If You Can Remember Your Password” Thing, so they haven’t lost anything by having security questions as part of the possible logins.
A hacker could use a program that could guess the name of my first pet and where my parents got married? If so, s/he is using one of those “program puts in every combination of letters and numbers until answer found”, and the systems never allow that many guesses of security questions.
Please tell me you’ve seen Now You See Me (the first one), so you can laugh at what happens in that movie related to this trick 
.
Yeah, which is great, except Gmail can’t send me an email because it is my email, and it never offered me putting in a separate email account for such purposes, and it never offered me putting in my cell number.
Agreed, and this makes sense for the reasons stated.
In which case…
If this is possible without knowing your password, doesn’t it defeat the purpose of what @iamthewalrus_3 pointed out?
And that’s why, with security questions, you only have to get a certain number of them right to do the trick (if they ask 10 questions, you only have to get like 7 or 8 right usually, correct?)
Except that security questions are most frequently used as a verification method for people who cannot remember their passwords in the first place, and they’re asked to answer those security questions when they request a password reset.
When I go on my Google settings, the password is already in there, because I’m signed into Google on my browser (which I assume the OP is, as well); I’m not asked to re-enter it.
You may be able to add a phone number or back-up email to your password recovery options.
For that matter, there’s no reason why the OP couldn’t create a second Google account (and, thus, a second Gmail address), with a password which he will remember, as that back-up email for password recovery. I have two – one for my personal stuff, one for work.
But if there were no security questions in that situation, wouldn’t they already be out of options anyway?
What I’m trying to express is: aren’t security questions always a “helps if you know the answers, doesn’t hurt if you don’t because you would’ve been out of options anyway” kinda thing?
Depends on a few factors. If it’s a reasonably uncommon pet name and where your parents got married is the name of a specific hall or whatnot, and not just the city, then it may be difficult enough. If it’s just a city, a clever enough person who wants access to your account specifically can probably figure it out. Pet name might take some research (if you’ve ever posted it before), or trial-and-error (if it’s a common name, but you’ll usually get locked out after 3 or 5 mistakes, so probably not the best approach.) A better approach would be some sort of social engineering for you to volunteer that info.
So perhaps not all that likely, but possible if someone really is determined.
If a company doesn’t use security questions for password resets, they use some other method, like the ones that we’ve already discussed (2FA, email to another email address, etc.), as Google does.
No, because, as Pulykamell and I have already noted, in addition to often being just as hard to remember as the original password, they are notoriously insecure and prone to being inadvertently revealed through phishing or social engineering (the Facebook memes).
Have you answered @BigT’s question? You originally said that your PC is automatically logged into your gmail account, but I don’t think you’ve told us what email client you use. We’re assuming it’s a browser like Chrome or Firefox, can you verify?
I don’t know how Firefox works, but if you’re using Chrome and want to see your stored passwords, you need to know the admin password for Windows. Do you remember that password?
I don’t want to sound like the spokesperson for Security Questions, so I’m gonna stop proclaiming my affection for them pretty soon 
, but…
If a company doesn’t offer 2FA, email to another email address, etc. as options, and they do offer Sec Qs, can you say that they don’t offer the other options as a result of the fact that they do offer the Sec Qs? What I mean is, are there any companies that say “Let’s offer Sec Qs as an option, and because we offered that option, let’s not offer 2FA or email to another address as options, since there’s surely no need?” Is it a “Lifeboat is full, let’s not put another thing in there” situation, where, in a world where Sec Qs don’t exist, they would have offered more than that as a way in?
No, a hacker just has to share a meme on Facebook that tricks you into revealing that information.
Just like I said to kenobi above, I hope you’ve seen Now You See Me so you can laugh at what they did related to that in one part of the movie 
.
My point is - even if logged in, you cannot change your password without knowing your old password, for the security reasons described: someone who comes across your machine unattended but logged in could change the password, lock you out and take over the account.
It makes little sense, then, to allow you to change the security settings under similar circumstances, since that would indirectly allow someone to do exactly the same thing. They could change the backup security phone number to their own phone number, etc.
If you’ve tried it and you can do it, I’m not disputing your discovery - I’m just trying to understand the logic of it.
I don’t think that there are too many companies which are only using security questions for identity verification anymore, though I would not be surprised to learn that it’s more common than I think. That said, if a company is still only using security questions, it’s likely a matter of them being some combination of lazy/cheap/complacent, and having not updated their security protocols for years.
Best practices for identity security have moved on from security questions. Bear in mind, it’s not just a matter of providing something that’s easy to use for their customers, but also using a method(s) which are reasonably secure, to protect the company from risks associated with identity fraud.
Make all your answers either “Fuck you” or “I can’t tell you that” - makes for great fun on the phone (remember when you actually had to call customer service?) & they ask you for or the answers to your security questions. 
Answering late. Your browser remembers your Google password (same password for Gmail, Google Photos, etc). Look up how to see saved passwords in your browser. Then get a password generator which, among other things, stores passwords securely. (I effectively need to memorize one password.)
I am making an assumption here, that you are using a desktop or laptop to access Gmail. I don’t know how you could get that from your phone.