Designing Good Security Questions
It's easy to find a list of security questions on the web, but it's not as easy to find GOOD security questions. I've provided examples of good, fair, and poor questions. You'll also find a comparison list of the good questions and categorization of types of questions.
What determines if a question is good, fair, or poor. Here's my criteria with some details below.
The answer to a good security question:
- cannot be easily guessed or researched (safe)
- doesn't change over time (stable)
- is memorable
- is definitive or simple
The most important characteristic of a good security question is security - it does not compromise the very thing it is trying to protect. A good security question would have answers that are not easy to guess or decipher and thus block unauthorized access to the account.
Good security questions meet a number of specific requirements and have high entropy. In general, this means that the number of possible answers is very high and that the probability of selecting any one specific answer is very low. When you create high entropy-based questions, only the authorized user is likely to provide the correct answers.
- The answer cannot be found through research (mother’s maiden name, birth date, first or last name, social security number, phone number, address, pet’s name)
- The question has many possible answers where the probability of guessing the correct answer is low
- Answers are unlikely to be known by others such as a family member, close friend, relative, ex-spouse, or significant other.
- What is your address?
- What is your phone number?
- What is your mother's maiden name?
- What was your dream job as a child?
- What is the first name of the boy or girl that you first kissed?
An additional option is to combine several data elements in one question thus increasing possible responses and decreasing the probability of others guessing the correct answer.
- What is the name, breed, and color of your pet?
- What is the city, county, and state of your birth?
The downside to this is that it makes it more difficult for the user to answer consistently each time.
The answer to a good security question doesn't change over time.
- Where did you vacation last year?
- Where do you want to retire?
- ... work or personal address, employer, nearest relative, phone number, etc.
One of my biggest complaints is "favorites." Favorite vacation, teacher, color, movie, book, animal, song, artist, etc. The list is endless and worthless for those of us that aren't definitive or change our minds or are human. Last year my favorite vacation was Italy; this year it is Hawaii. Favorites change and the next time I login and have to answer a security question, I get locked out. Result: frustrated user, perceived untrustworthy website, wasted support time, or worse, the user doesn't return.
- What is the middle name of your oldest child?
- What school did you attend for sixth grade?
The other problem with favorite or preference types of questions is that people are displaying more information on social network sites like Facebook and Myspace. You should use more caution when using these types of questions.
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
- What is your driver's license number? (I haven't memorized mine, have you?)
- Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
- What was the name of your first pet?
- What was your first car, favorite elementary school teacher, first kiss, etc.
The question should be asked so the answer is 1) definitive or simple, 2) has an obvious format, and 3) is NOT case sensitive.
The question should require a specific answer.
- What was your first car?
Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too - but, honestly, I couldn't remember what my first car was - had to ask my wife).
- What was the make of your first car?" (Some will not understand "make")
A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake.... hmm, do people name their snakes?
The format of the answer should be clear. Don't ask "When was your anniversary?" The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month were you married (e.g., January)?” Providing a format example in the question, indicates how the user should answer.
- What month were you born?
Answers could vary (January, Jan, 01) and users may not remember when they have to answer.
- What month and year were you born?
(e.g., January 1900)
(include the example in the question)
Not Case Sensitive
Don't validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I've actually sat and wondered if I capitalized the name of my elementary school.
With these three definitive guidelines, here's how to make a bad question better.
- What is your brother’s birthday?
- What is your oldest sibling’s birthday month and year? (e.g., January 1900)
User Written Questions
Some site registration forms let the user write the question and then supply the answer, like this example.
After looking through this website, it should be clear that creating good security questions are not simple. Permitting the user to create a good question at the moment of need is setting the user up for frustration and failure and potential security breach. Self-service password resets are more complicated than they appear, and you should think carefully before implementing this option. If IT professionals have difficulty writing good questions, how can we expect users to create a safe, consistent, memorable, and definitive question within moments.
My recommendation: don't let users write their own questions. You're the expert, that's what you're paid for.
A good security question will not work for all people and most good questions still have some flaws. Therefore, it is best to offer 2-3 sets of questions (more if data is more sensitive) with a variety of questions. I recommend offering 15 questions in each of three sets as seen below. You would need to eliminate the selected question from the first question for the subsequent question groups.
Well, that's just about it, but here's a few other tips when creating good security questions.
- There are few good questions that work for all people. Some questions are poor for some people and good for others. Offer a variety of good questions and users will select what works for them.
- Don't ask too many questions. I've been through some registrations for sign-in verification that asked 15 security questions. My eyes started to glaze over after five (probably just old age). Perhaps more than five questions are warranted, but be kind to users.
- Make your questions grammatically correct. It may not affect the quality of the question, but it can affect your reputation.
- Avoid questions about color — there are limited number of colors that people will use.
Once you have good and great questions selected, provide good instructions for users.
Last updated: 2/7/10