"What are the last 6 digits of your library card number?"
"What is the last name of the issuer of your fitness club card?"
"What is the last 6 digits on your favorite Shopping club card?"
If you use these types of questions you have to give the user many choices. Not everyone has a shopping club card or a library card, so a broad set of questions works best. The goal of coming up with the questions should be to have answers that can not be easily guessed or looked up on the internet. Here are some examples of horrible questions.
Looked up with some simple information about the user:
"So Sarah Palin, where did you meet your spouse?"
"What is your voting precinct or district?"
Easily brute forced or guessed:
"What is your favorite baseball team?" Guess what 80% of the people in Atlanta say.
"What is your favorite color?" Come on, who isn't madly in love with one of the primary colors?
The last category of question that suck is those tha only a few possible answers that could be right. Today I renewed by subscription to a prominent computer SECURITY magazine that asked me, "How many siblings do you have?" With the exception of a few families we can pretty much rule out anything greater than 4. And all of those families have their own discovery channel show, so we know their answers. The best I can hope for is that my answer wont be brute-forced in the first 5 attempts!
Summary: Avoid cognitive passwords if you can. If you have to use them, be very careful with the questions you choose.