What makes a good security question? A good security question produces answers that are:
- Safe: cannot be guessed or researched
- Stable: does not change over time
- Memorable: can remember
- Simple: is precise, simple, consistent
- Many: has many possible answers
Examples of Good, Fair, Poor Questions
What is the first name of the person you first kissed?
What is the last name of the teacher who gave you your first failing grade?
What was the name of your elementary / primary school?
In what city or town does your nearest sibling live?
What time of the day were you born? (hh:mm)
What is your pet’s name?
In what year was your father born?
What is your favorite _____?
Wait! Some GOOD Questions are Still BAD…
Even if a question is good, some people will not use it. Example: name of the place your wedding reception was held – if I haven’t been married I won’t use that question.
Which questions get used? I conducted a survey of which questions people would use. I also rated each question based on the 5 criteria above and provided rationale for each question. The results are included in the Full List of Security Questions.
The Full List of security questions can help you confidently select the best questions that people will actually use. The Full List includes:
- 40+ “good” questions from 200 questions
- survey results (over 350 responses) showing which questions people will actually use (“I might use this question” or “I would NOT use this question”).
- ratings of questions based on the 5 criteria (safe, stable, memorable, simple, many).
- rationale for ratings and rankings