Thursday, July 22, 2010

What are good security questions for resetting your password?

I picked up on this website from commentary on another blog and thought I would pass it on. I have had customers ask me this same question on numerous occasions when they are employing some sort of a self-service password reset product like Quest Password Manager, for example. The site is appropriately named: Good Security Questions. I like their approach to the problem of what a good security question is:
Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.
However, there really are NO GOOD security questions; only fair or bad questions. "Good" gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
So what is a good security question? Here’s their definition:
Good security questions have four common characteristics. The answer to a good security question:
  1. cannot be easily guessed or researched (safe),
  2. doesn't change over time (stable),
  3. is memorable,
  4. is definitive or simple.
An example of a good versus a not so good question would be “What was the name of the school you attended for Grade 6” versus “What was your high school name.” In this case, it’s a bit harder to research what school you attended in Grade 6 versus your high school which can easily be found on Facebook, Classmates.com or a number of other places.

This is an informative web site that can help you to determine what self-service password reset questions are the best for your organization. If you have or are planning on implementing a self-service password reset product I strongly recommend spending some time on the Good Security Questions website. It’s well worth it.

4 comments:

Dave Kearns said...

Actually, Jackson, the secret to security for "secret security" questions is to lie. That is, don't give the real answer (which can be found thru research, as you note) but something totally different. e.g., if the question is "What city were you born in?" Answer: blue. or "What's your favorite color?" Answer: Boston.

:)

Jackson Shaw said...

Dave - You never cease to amaze me with your wisdom! Great idea.

Alek Davis said...

This is a great idea except when it comes to sites which ask you several questions (often in random order). Any suggestions how to handle these cases?

Neil said...

A novel approach, Dave, but I'm not sure it adheres to points 3 or 4 in the blog [memorable and simple].

If I were to ask you 10 security questions, I doubt that [if you responded as u suggest] you could recall all the correct answers one month later :)