Choosing Good Security Questions
February 10th, 2010 Ryan Jones
I wrote the following post over a year ago for identity.net – but since that blog no longer exists, I want to re-post it here.
One of the most common ways to “hack†into somebody’s account actually doesn’t involve hacking at all. The easiest method is simply to learn some information about them and then use the “forgot username†and “forgot password†features that many sites now offer.
Implemented wrongly, these features can actually be a very big security liability. The right way to do it is to ask the question, then send an email with password reset instructions (but not the actual password). The wrong way is to validate the user and then simply tell them their password.
Why? Because most security questions are very common and easy to figure out – so if I know a little bit about you, I can easily answer them.
What makes a good security question? It’s not just about scarce information, it’s about non-public information.
Some of the most common questions are “What is your high school mascot?†“What city were you born in?†“What’s your favorite pet’s name?†“What was your first street name?†“What was your first phone number?†and “What is your company’s street name?â€
The problem with these questions is that they’re all easily answered on my Facebook page. Birth information is public record – it can easily be looked up. So can my previous addresses, phone number, and where I work. It’s all out there somewhere on the internet.
Better questions are things like “What is your frequent flyer number?†or “what are the last 4 digits of your credit card number?†But even these fail. Many people other than me know my FF number, including my secretary, airline attendants, and TSA employees. The last 4 of your credit card won’t work either since many sites list it as a way to identify transactions.
So what do you do? Simple: Let the user choose their own question.
A good questions should be something that can’t be guessed or looked up, doesn’t change over time, and is easily memorable.
As a user, you should choose something that nobody can easily figure out. My favorite question is “What is your favorite Prime Number?†Another great one I use is something like “Last 3 words on page 15.†It’s useless to you unless you know what book I’m talking about. You could even use a bible here, since there are so many versions in print that it’s almost impossible somebody else will have the same one as you. Another one I once used was “What’s my cell phone serial number?†It’s clearly printed on the back of my phone, and always in my pocket if I should need it. (Just remember to update your question if you get a new cell phone!)
Whether you’re implementing this feature on a website, or simply choosing your own security question – don’t pick something that others can easily guess or look up about you.
Entry Filed under: Main