Your Source for Help with Single-Sign-On Solutions

Challenge Questions for Security/Password Reset

Lately I've been doing a lot of research on figuring out the best security challenge questions for doing password reset via the web, and I stumbled on a great web site today:

http://www.goodsecurityquestions.com

Here's a few of the useful tidbits from the site:

- "A good security question will not work for all people and most good questions still have some flaws. Therefore, it is best to offer 2-3 sets of questions (more if data is more sensitive) with a variety of questions."
- Don't ask too many questions
- Make sure your questions are grammatically correct
- Avoid questions about color (since there's a limited set of colors people will use to answer them)
- Provide guidelines to users on how to best choose their responses

Lots of good stuff on this site, so be sure to check it out if you're doing work in this area.

▶ Reply to This

Replies to This Discussion

Permalink Reply by Adam Harvey on May 29, 2009 at 7:56pm: Chad--
This is a great link, thanks. A good tip on the site is that questions should not be easily researched. I'm surprised that one of the "Good" suggestions then was, "In what city or town was your first job?" While an answer might be common to a user, selecting something like "Favorite City to Visit" can be a poor choice. You could pull the list of the Top 100 largest cities in the world, and iterate through forgotten password features to attempt that and you'll likely find one user who selected Paris, Rome, New York City, Boston, etc. And better yet knowing something about the target, like say a consultancy based out of the Boston-area, you can be even more specific and list the largest towns in the North East, etc. Definitely something to consider as questions are selected.
- A; ▶ Reply to This