There are a lot of factors that go into choosing a good security question. Contrary to what their name suggests, they don’t always keep you secure. A Google report showed that there is a 19.7% chance that an attacker could guess an English speaker’s favorite food. People born in South Korea have their birthplace guessed 39% of the time within ten guesses.
The availability of information online has made answers easier than ever to guess. People share personal data on social media, where everything they say and do may be viewable. With data breaches involving popular websites like Yahoo, Twitter, LinkedIn, and Facebook, even private data may get leaked.
Table of Contents
What Is a Security Question?
A security question acts as verification to help confirm the user’s identity. You’re asked to pick from a list of questions or write your own, and then create an answer for it. When later asked these security questions, you’re required to write in the same answer you gave before.
What Makes a Security Question Good?
There are five criteria that make a security question good:
- Confidential: Something that can’t be easily guessed or researched.
- Memorable: Easy to remember no matter how much time has passed.
- Consistent: An answer that can’t change over time.
- Simple: Short, clear, and easy to answer.
- Multiple: A question that can have many answers.
How Do You Choose a Security Question?
To choose a security question, you need to pick ones that rate high in all five criteria. That means it should be confidential, memorable, consistent, simple, and have multiple answers. The individual also influences these. A question that might rate well for one person may be poor for another.
For example, some people use this as a security question: in what city was your first job? If a person has lived their entire life in one or two cities, it would be easy to guess the location since it’s unlikely their first job was anywhere else. However, someone who’s spent their whole life moving between cities or countries would make it more difficult to guess. Because of personal factors, the strength of a question may depend on the answer.
What Are Some Examples of a Good Security Question?
Here are a few examples of good security questions. They rate well in all five criteria.
- What is your library card number?
- What college did you apply to, but didn’t attend?
- In what city did your parents meet?
- What was the first concert you attended?
- What was your childhood best friend’s nickname?
What Are Some Examples of a Bad Security Question?
Here are a few examples of good security questions. They rate well in all five criteria.
- What was your favorite food as a child?
- Where did you go to elementary school?
- What city were you born in?
- What was your favorite sport in high school?
- What is the name of your oldest sibling?
Do Security Questions Keep You Safe?
Because of the ease of finding personal information, security questions aren’t enough to keep you safe. When combined with other factors, such as time-limited passcodes, it can still act as an extra layer of protection.
Closing
When setting a security question, it can be tempting to choose easy-to-answer ones for your own convenience. Yet, what’s simple for you may also be quick for others to guess. A 2009 study by Microsoft showed that acquaintances could guess 17% of answers. That number is likely much higher now. With the increase in social media usage over the past decade, people can both share and view an alarming amount of information about each other.
Security questions act as only one factor of Multi-Factor Authentication. It’s still important to have a strong password. IT experts also recommend having at least one possession factor, such as receiving a time-limited passcode on your phone. Services like ITonDemand can help you set these up. Every factor is vital to the user’s safety, which is why it’s important to choose good security questions.