May 5th, 2011

Best Practices for Password Reminders and Security Questions

Many companies, LuxSci included, recommend or require that users have one or more “Security Questions” and corresponding answers associated with their accounts.  These questions are commonly used to:

  • Verify a user’s identity if the user has forgotten his/her password, or
  • Provide a second factor for logging into the service above and beyond the username and password

Because these questions are used to provide access to the service and identity verification, it is very important that questions and answers be well chosen.

For example, if your question is “what color is the sky” and the answer is “blue”, then you effectively have no question.  If someone posing as you claims to have forgotten your password and can answer this question, then this person may gain access to your account.  Choosing a poor question, or one where the answer is easily guessed or known, is in many cases tantamount to indicating that you don’t care who gains access to your account.

What makes a good security question?

Good security questions are ones that meet the following criteria:

  1. There are 100s or 1000s of possible answers
  2. The actual answer in not generic and easily guessed
  3. The answer is very unique to you
  4. The answer does not change over time
  5. The answer is not likely to be found posted on public web sites like Facebook or in places where you may have answered interesting “fun questions about yourself” surveys.

Here are some example questions:

“What is my mother’s maiden name?”

Bad. This question has been used so much that the information is “out there” in many databases.  It is also not very hard for someone to look up.

“What are the last 4 digits of you driver’s license”

Fair.  This may change if you move or the license is reissued.  It is not “unchanging”.  It may also be available in some public databases.

“Who was the person you first kissed?”

This sounds like a good question, but it is commonly asked in “fun facts” surveys in social web sites and other places.  A better question would be “who was the second person you kissed” … as that is much less likely to have been discussed.

Remember the answers to your questions!

We all have to provide answers to security questions all the time.  If you can select a good question from a list or provide your own good question, there there will generally be no problem with remembering what the answer is later.

However, if you visit a site that gives you a canned set of questions with no option to choose your own, you may be forced to answer a bad question … either with a correct answer that might not be memorable to you, or with a made up answer that noone would guess — which also may not be memorable to you.

In these cases, you need to keep track of the questions and answers someplace secure, just like you would keep track of your usernames and passwords.  See Protect Your Passwords from Theft for issues with storing this sensitive information and suggestions for keeping it safe and secure.

Security Questions are not Generally Private!

Unlike passwords, which many companies take care to encrypt or hash or keep out of the hands of hackers and employees (though many companies still don’t), security questions and answers are generally treated like contact information — visible to sales and support staff, visible to hackers who steal user databases, etc.

This means that when you choose your security questions and answers, you should do so assuming that, at a minimum, some people will see this information.  I.e. you may not want to use embarrassing information or sensitive information.

Enhance Your Security Further

Beyond choosing very good security questions, you can enhance the security of your account by using two factor authentication when it is available, or very strong OpenIDs (i.e. LuxSci allows you to disable password access to your account when OpenID access is enabled).

At LuxSci:

  • We require all users who login to WebMail to set a security question and answer.
  • We provide a list of suggested questions that are all “good”, based on the above criteria.
  • We use these questions and answers for identity verification in case passwords are lost or forgotten; however, all identity verification is performed manually by trained Support staff.  They will refuse to use poor questions as a basis for identity verification, for the protection of our customers.  They also use other factors for verifying identity and avoiding social engineering attacks on user logins.

One Response to “Best Practices for Password Reminders and Security Questions”

  1. jeff_tyrrill Says:

    > “What are the last 4 digits of you driver’s license”
    > Fair. This may change if you move or the license is reissued.
    > It is not “unchanging”. It may also be available in some public
    > databases.

    Careful… it may even be entirely deterministically generated, and thus accessible to anyone. For example, Washington’s is based solely on name, birthdate, and a single flag that can go one way or the other. Many states are like this:

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.