What Is a Security Question?
A security question is a question used to verify a person's identity on a password-protected network or Web site. Users typically choose one out of a number of biographical questions to answer when they create online accounts. Then, if a user forgets the password, he or she will be prompted to answer this security question. If the question is answered correctly, the system will send information on how to reset the password. Security questions may also be used as a secondary form of identity verification after the password is entered, for instance if the user is logging in from an unknown location.
Security questions have gained favor since the early 2000s as a result of what is sometimes called "password chaos." Someone who uses the Internet for work, school, banking, personal communications, etc., may have dozens of different usernames and passwords that he or she may easily confuse. Before the advent of security questions, the user might have to call customer service to have the password reset manually. Sites that allow users to reset their passwords by means of a security question saves money for companies and time for the users.
Although security questions are a convenient way of resetting a password, they are generally considered far less secure than the password itself. A common security question, for instance, is "What is your mother's maiden name?" This information, while it might not be widely known, can often be found via a little bit of Internet sleuthing, thus compromising the user's account. Other information that is sometimes used in security questions might include the names of pets, favorite vacation spots, or school information, much of which is routinely posted on social networking sites.
Due to these security risks, both users and network developers must be careful about the security questions they choose as well as how they answer them. A good security question should have many possible answers that a hacker would not likely be able to guess. Users should be careful not to post information related to the security question anywhere on the Internet.
Developers should also phrase questions in such a way that there is only one possible way to write the answer. For example, the answer to the question, "What is your mother's date of birth?"could be written "1 July 1948," "July 1, 1948," "7/1/1948," or any number of other ways. A user who forgot his or her password is not likely to remember in which way he or she wrote the answer, making this is a poorly written security question. A better question would be, "What is the month and year of your mother's birth (e.g. July 1948)?"
@pastanaga - I'm a bit paranoid about security in general, so I'm not a big fan of easy security questions either. I try to make my passwords difficult, usually by mashing several words together and using a mix of capitals and numbers.
It annoys me that access to an account could then depend on someone knowing the year I was born. But I think that kind of question is becoming less and less common.
@browncoat - I don't mind the security questions. In fact, I kind of like the fact that they are a bit obvious with my less important accounts, because if I pass away or something, I'd like my family to be able to get access to them if they need to.
I've noticed that most of my really secure accounts, like banking or good email, have more layers of security than just a few simple questions, or may even allow you to make up your own security questions.
One of my banks even sent me a little gadget to produce random numbers as access codes rather than using a password at all. Which can be annoying, but at least I know it's secure.
I really think security questions are pointless most of the time. They are almost always something that would be easy for anyone to find out, like your father's middle name, or the city you were born in. These are facts that can be researched with ease online, or will be known to anyone close to the person.
I tend to use my security questions as an additional password, by making something up rather than using the truth.
Post your comments