Many website registrations use security questions for password reset and sign-in verification. Some also ask the same security questions when users call on the phone. Security questions are one method to verify the user, but there are problems with security questions. Websites may use poor security questions that may have adverse results:
- the user can’t remember the answer
- the answer changed
- the question doesn’t work for the user
- the question could be discovered or guessed by others.
Many problems can be resolved by using good security questions which meet five criteria. Good security questions are:
- Safe: cannot be guessed or researched
- Stable: does not change over time
- Memorable: can remember
- Simple: is precise, easy, consistent
- Many: has many possible answers
It is difficult to find questions that meet all five criteria: some questions are good, some fair, most are poor. In reality, there are few if any GOOD security questions. People share so much personal information on social media, blogs, and websites, that it is hard to find questions that meet the five criteria.
About Security Questions
What makes good security questions? I’ve researched and gathered many questions. Here you’ll find:
- A Full List of questions with ratings, ranking, rationale, and survey results of likely to use.
- Examples of good, fair, poor questions
- Types of questions
- Design your own questions or reset process
- Password tips
