Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.So what is a good security question? Here’s their definition:
However, there really are NO GOOD security questions; only fair or bad questions. "Good" gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
Good security questions have four common characteristics. The answer to a good security question:An example of a good versus a not so good question would be “What was the name of the school you attended for Grade 6” versus “What was your high school name.” In this case, it’s a bit harder to research what school you attended in Grade 6 versus your high school which can easily be found on Facebook, Classmates.com or a number of other places.
- cannot be easily guessed or researched (safe),
- doesn't change over time (stable),
- is memorable,
- is definitive or simple.
This is an informative web site that can help you to determine what self-service password reset questions are the best for your organization. If you have or are planning on implementing a self-service password reset product I strongly recommend spending some time on the Good Security Questions website. It’s well worth it.