Designing

What makes a good security question? You can design your own good security questions with these five criteria.

The answer to a good security question has the following characteristics:

  1. Safe: cannot be guessed or researched
  2. Stable: does not change over time
  3. Memorable: can remember
  4. Simple: is precise, easy, consistent
  5. Many: has many possible answers

Once you review these criteria, it becomes quickly evident that there are few if any “good” security questions. If you must use security questions to reset passwords, use the following criteria to assess the quality of a question.

1. Safe — Can’t Guess or Research

The most important characteristic of a good security question is security - it does not compromise the very thing it is trying to protect. A good security question:

  1. cannot be easily guessed whether or not the attacker knows the user (family member, close friend, relative, ex-spouse, or significant other)
  2. cannot be easily researched – Facebook, G+, other social media, blogs, or research sites

2. Stable — Doesn’t Change

The answer to a good security question doesn’t change over time.

Bad examples:

  • Where did you vacation last year?
  • Where do you want to retire?
  • … work or personal address, employer, nearest relative, phone number, etc.
  • Favorite anything

One of my biggest complaints is “favorites.” Any question that asks for a favorite is a bad question. The list of favorites is endless and worthless because things change.

3. Memorable

A security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without looking up a reference or having to write down the answer.

Bad examples:

  • What is your driver’s license number? (I haven’t memorized mine, have you?)
  • Car registration number (this may be easy for others to find on the web anyway)
  • What was the name of your first pet?
  • What was your first car, favorite elementary school teacher, first kiss, etc.
  • But don’t use questions that go back to childhood, or for that matter last year for someone like me.

4. Simple and Definitive

The question should be asked so the answer is 1) definitive, 2) simple and precise, 3) will consistently be answered in the same way, and 4) is NOT case sensitive.

Definitive

The question should require a specific answer.

Bad example:

  • What was your first car?

Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too – but, honestly, I couldn’t remember what my first car was – had to ask my wife).

Better example:

  • What was the make and model of your first car? (Some will not understand “make” and this could be on social media or blogs)

A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake…. hmm, do people name their snakes?

Simple and Precise Format

The format of the answer should be clear. Don’t ask “When was your anniversary?” The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month and year did you meet your spouse (e.g., January 1999)?” (Not a good question because there are too few possible answers). Providing a format example in the question, indicates how the user should answer.

Bad example:

  • What month were you born?

Answers could vary (January, Jan, 01) and users may not remember when they have to answer.

Better example:

  • What time of the day was your first child born? (hh:mm)
    (include an example of the format in the question)

Not Case Sensitive

Don’t validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I’ve sat and wondered if I capitalized the name of my elementary school.

With these guidelines, here’s how to make a bad question better.

Bad example:

  • What is your brother’s birthday?

Better example (but not great because not enough possible answers):

  • What is your oldest sibling’s birthday month and year? (e.g., January 1900)

5. Many

A good question will have many possible answers; the more possible answers, the better the security. It’s not just a matter of someone guessing, but also trying to stop the automated attempts. Hundreds of thousands or even millions of options would be better than a few hundred or thousand. But not too many questions will have millions of possible answers, which leads us back to… are the any “good” security questions?

User Written Questions

Some site registration forms let the user write the question and then supply the answer, like this example.

own question

After looking through this website, it should be clear that there are few if any good security questions and they are not simple to create. Permitting the user to create a good question may increase user frustration and potential for security breach. If IT professionals have difficulty writing good questions, how can we expect users to create a good question within moments.

My recommendation: don’t let users write their own questions. You’re the expert, that’s what you’re paid for.

Not For Everyone

No one question works for all people.

To discover which questions have higher usage rate, get the Full List of questions.

People need enough questions to select those that will work for them. Therefore, it is best to offer 2-3 sets of questions (more if site data is more sensitive) with a variety of questions. I recommend offering THE SAME 15-20 questions in each of three sets as seen below. As the user selects a question in the first set, eliminate that question in the second and third sets. The same action occurs for the second set. You need to eliminate previously selected questions from the subsequent question sets. Here’s a sample design of the user form to set up questions.

Security Questions Please select three questions and enter an answer for each question. Answers are NOT case sensitive (caps on OR off are OK).
Answer to Question 1:
Answer to Question 2:
Answer to Question 3:

Reset Process

1. Attempts & Time Limits

How many attempts should you offer in the reset process? In the forgot password process, you can offer two attempts in case the user has made an honest mistake in the first attempt. But whether you offer one attempt or two attempts, it’s VERY important that you limit the amount of time available to answer the questions. You don’t want to give an adversary time to research the answers. Here’s some options.

a. One Attempt

Once the questions are displayed, start the timer and set the limit to about twice the time it would take a typical user to answer the questions. Example: answering three questions might take 1.5 minutes for the average user. Set the timer to 3 minutes.

If any answer is incorrect or the time limit is reached, lock the account and send the user an email with explanation and instructions.

b. Two Attempts

Once the first set of questions are displayed, start two timers:

  1. One timer for the first set
  2. One timer for both sets

This will stop the adversary from getting too much time on the first attempt and the second attempt. Example for three questions: first attempt time gets 3 minutes. The second timer starts at the same time as the first timer and gets 6 minutes.

If the user fails on the second attempt because of incorrect answers or exceeds the second time limit (6 minutes) on the second attempt, lock the account and send the user an email with explanation and instructions.

c. Three Attempts

Don’t allow three or more attempts.

2. Room for Error

The user has answered three questions during set up. During authentication you present three questions but only require two of three correct answers. For two attempt scenarios, on the second attempt, disable a correct answer so the user cannot change it.

This, of course, weakens the security, but may reduces support calls. You’ll have to decide which is more important: easier for users that make a legitimate mistake or more secure to protect against attacks.