Links

• Security Question (Wikipedia)
• Self-service password reset (Wikipedia)
• How to Do Password Resets Right
• In What City Did You Honeymoon?
• (In)Security Questions
• Password reset challenge questions: More trouble than they are worth?
• Usability & Security Questions
• Security Questions
• Security questions considered dangerous
• Password Reset Security

Quotes

What Are Security Questions?

If you've registered at a website or perhaps built a registration form for a website, then you are probably familiar with questions like "What is your mother's maiden name?" or "What is your pet's name?" These are security or challenge questions and are generally used in two ways:

• Password retrieval/reset: if you forget your password, the website will ask a question and if answered correctly, you'll get or reset the password.
• Sign-in verification: some websites occasionally display a security question during sign-in as a second level of verification.

Benefits

Security questions reduce support costs by allowing users to retrieve their password rather than contacting support. Paul Laudeman comments that self-service password resets can save companies $51 to $147 per call.

Security questions are safer, than trying to verify callers' identify over the phone.

Sign-in verification can increase security over the routine user name/password option.

Secure or In-secure?

The term "security questions" is a misnomer. Security questions create a potential hole or breach in security by providing ways for unauthorized users to gain access if the answer can be discovered. Hopefully, security experts will find better ways of retrieving forgotten passwords or verifying identification during login, but until then security questions will likely be prevalent and persistent.

Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.

Good Security Questions

Most websites that register users, use some form of security questions. But my experience is few websites use GOOD security questions.

Good security questions have four common characteristics. The answer to a good security question:

1. cannot be easily guessed or researched (safe),
2. doesn't change over time (stable),
3. is memorable,
4. is definitive or simple.

It's difficult to create questions that meet all four characteristics which means that some questions are good, some fair, and the remaining are poor.

My goal here is to describe what makes good security questions, offer examples and comparisons, and explain how you can create your own good security quetions.

 

Last updated: 10/20/08

About

This website talks about security or challenge questions that are used in a website registration or for sign-in verification. More...