Many website registrations use security questions for both password retrieval/reset and sign-in verification. Some also ask the same security questions when users call on the phone. Security questions are one method to verify the user and stop unauthorized access. But there are problems with security questions. Websites may use poor security questions that may have negative results:
- The user can’t accurately remember the answer or the answer changed,
- The question doesn’t work for the user,
- The question is not safe and could be discovered or guessed by others.
It is essential that we use good questions. Good security questions meet five criteria. The answer to a good security question is:
- Safe: cannot be guessed or researched
- Stable: does not change over time
- Memorable: can remember
- Simple: is precise, easy, consistent
- Many: has many possible answers
It is difficult to find questions that meet all five criteria which means that some questions are good, some fair, and most are poor. In reality, there are few if any GOOD security questions. People share so much personal information on social media, blogs, and websites, that it is hard to find questions that meet the criteria above. In addition, many questions are not applicable to some people; for example, what is your oldest child’s nickname – but you don’t have a child.
The goal of this site is to describe what makes good security questions, offer examples with ratings, and provide ideas how you can create your own good security questions.