Designing

What makes a good security question? You can design your own good security questions with these five criteria.

The answer to a good security question has the following characteristics:

  1. Safe: cannot be guessed or researched
  2. Stable: does not change over time
  3. Memorable: can remember
  4. Simple: is precise, easy, consistent
  5. Many: has many possible answers

Once you review these criteria, it becomes quickly evident that there are few if any “good” security questions. If you must use security questions to reset passwords, use the following criteria to assess the quality of a question.

1. Safe — Can’t Guess or Research

The most important characteristic of a good security question is security – it does not compromise the very thing it is trying to protect. A good security question:

  1. cannot be easily guessed whether or not the attacker knows the user (family member, close friend, relative, ex-spouse, or significant other)
  2. cannot be easily researched – Facebook, G+, other social media, blogs, or research sites

2. Stable — Doesn’t Change

The answer to a good security question doesn’t change over time.

Bad examples:

  • Where did you vacation last year?
  • Where do you want to retire?
  • … work or personal address, employer, nearest relative, phone number, etc.
  • What is your favorite… anything

One of the most common and worst type of question is “what is your favorite….” Current favorites can change. But historical favorites may be acceptable, because they can’t change. For example, “what was your favorite sport in high school?” As long as the person is no longer in high school, that shouldn’t change.

3. Memorable

A security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without looking up a reference or having to write down the answer.

Bad examples:

  • What is your driver’s license number? (I haven’t memorized mine, have you?)
  • Car registration number (this may be easy for others to find on the web anyway)
  • What was your first car, favorite elementary school teacher, first kiss, etc.

Childhood questions can be difficult for older people. Try to use questions that are more prominent or memorable.

4. Simple and Definitive

The question should be asked so the answer is 1) definitive, 2) simple and precise, 3) will consistently be answered in the same way, and 4) is NOT case sensitive.

Definitive

The question should require a specific answer.

Bad example:

  • What was your first car?

Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too – but, honestly, I couldn’t remember what my first car was – had to ask my wife).

Better example:

  • What was the make and model of your first car? (Some may not understand “make” and this could be on social media or blogs)

A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake…. hmm, do people name their snakes?

Simple and Precise Format

The format of the answer should be clear. Don’t ask “When was your anniversary?” The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month and year did you meet your spouse (e.g., January 1999)?” (Not a good question, because there are too few possible answers). It may be helpful to providing a format example with the question to indicate how the user should answer.

Bad example:

  • What month were you born?

Answers could vary (January, Jan, 01) and users may not remember when they have to answer.

Better example:

  • What time of the day was your first child born? (hh:mm)
    (this is not a great question because most people won’t know that detail)

Not Case Sensitive

Don’t validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I’ve sat and wondered if I capitalized the name of my elementary school.

With these guidelines, here’s how to make a bad question better.

Bad example:

  • What is your brother’s birthday?

Better example (but not great because not enough possible answers):

  • What is your oldest sibling’s birthday month and year? (e.g., January 1900)

5. Many

A good question will have many possible answers; the more possible answers, the better the security. It’s not just a matter of someone guessing, but also trying to stop the automated attempts. Hundreds of thousands or more options are better than a few hundred.

Bad example:

  • To what country did you travel as a child?
    (There are only a few answers for most people)

Better example:

  • What is the first name of your best friend in high school?

User Written Questions

Some site registration forms let the user write the question and then supply the answer, like this example.

own question

After looking through this website, it should be clear that there are few if any good security questions and they are not simple to create. Permitting the user to create a good question may increase user frustration and potential for security breach. If IT professionals have difficulty writing good questions, how can we expect users to create a good question within moments.

My recommendation: don’t let users write their own questions. You’re the expert, that’s what you’re paid for.

Not For Everyone

No one question works for all people.

To discover which questions have higher usage rate, get the Full List of questions on the Examples page.

People need enough questions to select those that will work for them. Therefore, it is best to offer 2-3 sets of questions (more if site data is more sensitive) with a variety of questions. I recommend offering THE SAME 15-20 questions in each of three sets as seen below. As the user selects a question in the first set, eliminate that question in the second and third sets. The same action occurs for the second set. You need to eliminate previously selected questions from the subsequent question sets. Here’s a sample design of the user form to set up questions.

Security Questions Please select three questions and enter an answer for each question. Answers are NOT case sensitive (caps on OR off are OK).
Answer to Question 1:
Answer to Question 2:
Answer to Question 3:

No Need to Revolve Questions

Someone asked me if it was good to change the questions over time and make users select new questions and answers.

I think it’s unnecessary and perhaps bad practice to force users to change security questions.
  1. There are few good questions and fewer questions that users will even use. Changing questions makes it likely that the site is going to choose fair or poor questions.
  2. I see no problem with different websites using the same questions if only good questions are used that firmly meet two of the five criteria: safe and many. This assumes attackers are not familiar with the legitimate user’s preferences.
  3. In a list of 10 questions, most user will find only 3-5 questions that will work for them. Changing questions may give users fewer good questions to choose from.
  4. The hassle for users outweighs any small benefit that may exist.
  5. Users may perceive that their personal information is being stored, mined, and vulnerable to hackers.

Reset Process

1. Attempts & Time Limits

How many attempts should you offer in the reset process? In the forgot password process, you can offer two attempts in case the user has made an honest mistake in the first attempt. But whether you offer one attempt or two attempts, it’s VERY important that you limit the amount of time available to answer the questions. You don’t want to give an adversary time to research the answers. Here’s some options.

a. One Attempt

Once the questions are displayed, start the timer and set the limit to about twice the time it would take a typical user to answer the questions. Example: answering three questions might take 1.5 minutes for the average user. Set the timer to 3 minutes.

If any answer is incorrect or the time limit is reached, lock the account and send the user an email with explanation and instructions.

b. Two Attempts

Once the first set of questions are displayed, start two timers:

  1. One timer for the first attempt
  2. One timer for both attempts

This will stop the adversary from getting too much time on the first attempt and the second attempt. Example for three questions: first attempt time gets 3 minutes. The second timer starts at the same time as the first timer and gets 6 minutes.

If the user fails on the second attempt because of incorrect answers or exceeds the second time limit (6 minutes) on the second attempt, lock the account and send the user an email with explanation and instructions.

c. Three Attempts

Don’t allow three or more attempts.

2. Room for Error

The user has answered three questions during set up. During authentication you present three questions but only require two of three correct answers. For two attempt scenarios, on the second attempt, disable a correct answer so the user cannot change it.

This, of course, weakens the security, but may reduces support calls. You’ll have to decide which is more important: easier for users that make a legitimate mistake or more secure to protect against attacks.